The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and/or conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.
Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts — mainly from small- to mid-sized businesses based in the United States and Europe. Bogachev also is accused of being part of a crime gang that infected tens of millions of computers, harvested huge volumes of sensitive financial data, and rented the compromised systems to other hackers, spammers and online extortionists.
So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — on Bogachev and his trusted associates.
I first became aware of Bogachev by his nickname at the time –“Slavik” — in June 2009, after writing about a $415,000 cyberheist against Bullitt County, Kentucky. I was still working for The Washington Post then, but that story would open the door to sources who were tracking the activities of an organized cybercrime gang that spanned from Ukraine and Russia to the United Kingdom.
Not long after that Bullitt County cyberheist story ran, I heard from a source who’d hacked the Jabber instant message server that these crooks were using to plan and coordinate their cyberheists. The members of this crew quickly became regular readers of my Security Fix blog at The Post after seeing their exploits detailed on the blog.
They also acknowledged in their chats that they’d been in direct contact with the Zeus author himself — and that the gang had hired the malware author to code a custom version of the Trojan that would latter become known as “Jabberzeus.” The “jabber” part of the name is a reference to a key feature of the malware that would send an Jabber instant message to members of the gang anytime a new victim logged into a bank account that had a high balance.
Here’s a snippet from that chat, translated from Russian. “Aqua” was responsible for recruiting and managing a network of “money mules” to help cash out the payroll accounts that these crooks were hijacking with the help of their custom Jabberzeus malware. “Dimka” is Aqua’s friend, and Aqua explains to him that they hired the ZeuS author to create the custom malware and help them troubleshoot it. But Aqua is unhappy because the ZeuS author declined to help them keep it undetectable by commercial antivirus tools.
dimka: I read about the king of seas, was that your handiwork?
aqua: what are you talking about?
aqua: yes, we are using it right now. its developer sits with us on the system
dimka: it seems to be very popular right now
aqua: but that fucker annoyed the hell out of everyone. he refuses to write bypass of [anti-malware] scans, and trojan penetration is only 35-40%. we need better
aqua: http://voices.washingtonpost.com/securityfix read this. here you find almost everything about us
aqua: we’re using this [custom] system. we are the Big Dog. the rest using Zeus are doing piddly crap.
Days later, other members of the Jabberzeus crew were all jabbering about the Bullitt County cyberheist story. The individual who uses the nickname “tank” in the conversation below managed money mules for the gang and helped coordinate the exchange of stolen banking credentials. Tank begins the conversation by pasting a link to my Washington Post story about the Bullitt County hack.
firstname.lastname@example.org: That is about us. Only the figures are fairytales.
email@example.com/dimarikk: This was from your botnet account. Apparently, this is why our hosters in service rejected the old ones. They caused a damn commotion.
firstname.lastname@example.org: I have already become paranoid over this. Such bullshit as this in the Washington Post.
email@example.com/dimarikk: I almost dreamed of this bullshit at night. He writes about everything that I touch in any manner…Klik Partners, ESTHost, MCCOLO…
firstname.lastname@example.org: Now you are not alone. Just 2 weeks before this I contacted him as an expert to find out anything new. It turns out that he wrote this within 3 days. Now we also will dream about him.
In a separate conversation between Tank and the Zeus author (using the nickname “lucky12345” here), the two complain about news coverage of Zeus:
tank: Are you there?
tank: This is what they damn wrote about me.
tank: [pasting a link to the Washington Post story]
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got it from that cash-in.
lucky12345: From 200k?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
lucky12345: It’s fucked.
After the Bullitt County story, my source and I tracked this gang as they hit one small business after another. In the ensuing six months before my departure from The Post, I wrote about this gang’s attacks against more than a dozen companies in the United States.
By this time, Slavik was openly selling the barebones ZeuS Trojan code that Jabberzeus was built on to anyone who could pay several thousand dollars for the crimeware kit. There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers that phoned home to domains which bore his nickname, such as slaviki-res1.com, slavik1[dot]com, slavik2[dot]com, slavik3[dot]com, and so on. Continue reading →