Follow us

Zeus trojan retirement and never caught 3M worth creator

He was ahead his time in 2009, but today there are other threat actors in action

Published: November 2, 2021 By Darina Shramko

Title image for Story of an elusive Russian hacker who any particular secret service cannot catch

Image source – pixabay.com

Russian hackers are among the most skillful and bloodthirsty cybercriminals who have left their mark in almost every corner of the world (at least many think so). They are known for theft of large amounts of money, spyware, and massive cyberattacks that target millions worldwide.

However, among the currently existing Russian hackers, one whose name has been exciting the minds of the American secret services for more than a decade. He is considered the founder of cyber-blackmail and is one of the most authoritative hackers in the world.

His story is fantastic and full of strange nuances that do not fit in the head: how does this still freely walk around Russia and feel safe?

Today we will find out how he managed to steal $7 million in one transaction and why he declassified his email?

Actual hacker trends

Before we discuss the phenomenon of the Russian hacker, it is worth saying that trends in the IT world are changing faster than fashion.

What was relevant several years ago has now lost its value. Technologies are constantly improving, so hackers must constantly improve their skill levels to keep pace with new trends.

Today's hero for many years remained one of the most authoritative hackers, whose name did not leave the covers of American newspapers. But, according to Vicious expert, his time is long gone, although we are talking about the past decade's events.

Back then, the most successful strategy was to conduct large-scale and lightning-fast cyberattacks designed for immediate benefit. It was on this principle that our today's hero acted, cashing out the accounts of the Americans.

Now, when the level of cyber security specialists has grown and former hackers take up the defense of state security, hackers need to act differently: sneak into other people's networks and remain unnoticed for years.

The extraction has also changed − now it is necessary to steal sensitive information, which is much more expensive than seven-digit amounts in bank accounts.

For example, the DarkSide is now considered one of the most dangerous hacker groups. This organization had existed for less than a year but had been able to cause a fuel crisis in the United States.

They paralyzed Colonial Pipeline and stopped transporting about 45% of the fuel consumed on the US East Coast. Because of this, the average cost of gasoline in the country has exceeded $3per gallon (3.8 liters). It is the maximum since 2014.

There are suggestions that the company has links with Russia since it doesn't attack Russian-language sites.

In addition, according to Acronis, the group's malware does not work on computers that use Russian keyboard layouts.

DarkSide is a new generation hacker organization that rents software to partners, communicates with the press, and does not hack medical, government, and non-profit organizations.

On May 14, DarkSide ceased operations, explaining this by the growing threat from the United States and the loss of part of the infrastructure. In less than a year, the group has earned more than $60 million.

As you can see, modern hackers pursue entirely different motives for cyber-attacks.

Even though today's hero does not create the impression that his activities would be successful in the new realities, he remains one of the most mysterious Russian hackers. He left a mark on history forever!

Slavik from Anapa

The real name of the offender is Evgeniy Mikhailovich Bogachev, who was born on October 28, 1983, in Russia. According to the latest data, the hacker lives in the Russian resort town of Anapa, cuts across the Black Sea on his yacht, and enjoys life.

Bogachev appeared in the Internet community under the nickname "slavik", "Lucky12345", and "Pollingsoon". For a long time, trustworthy information about the identity and whereabouts of the "slavik" remained inaccessible.

Little is known about the 38-year-old hacker's personal life: he is married and has a daughter.

Evgeniy Bogachev's photos

Image source – fbi.gov

The New York Times has compiled a dossier on the cybercriminal, which says that Bogachev owns a collection of luxury cars but at the same time prefers to drive his Jeep Grand Cherokee.

The dossier also says that Bogachev owned two villas in France and an impressive car fleet. The hacker's cars were parked at various points throughout Europe, so he always had a car when traveling.

It is believed that Evgeniy Bogachev has three Russian passports under different names, which he uses when crossing state borders.

According to the NYT, the hacker works closely with the Russian intelligence services, which collected data from computers hacked by a hacker.

So, what is a criminal's dangerous activity, and why is a record $3 million reward assigned for his capture?

Cybercriminal activity

Evgeniy Bogachev's criminal activities began in the spring of 2009. Then the FBI drew attention to the fact that there is one common feature between the loss of large sums of money from banks − made all transactions from IP addresses within the companies themselves.

How could this happen? Intelligence has established that infected all of these computers with the Zeus Trojan.

The detection of the trojan became the starting point in the long-term cyberwar with Evgeniy Bogachev.

ZeuS

ZeuS (or Zbot) is a new type of trojan and botnet that appeared in 2007. The trojan was created to intercept passwords from payment systems to steal funds.

To date, it establishes that the damage from this trojan program amounted to more than $80 million!

ZeuS is a flexible, fast, and agile trojan. It invisibly enters the victim's computer through phishing emails and infects the entire system by intercepting passwords and other confidential data.

ZeuS was written in the Visual C ++ programming language and targets all Windows versions. Due to its structure, which allows it to work without connecting to drivers, ZeuS can infect the target computer even from a guest account.

After the infection has occurred, the virus enters the system and intercepts user registration data (passwords, PIN codes, answers to security questions, etc.).

Having received this data, ZeuS transfers a small amount of money to the accounts of other infected systems, thereby making it impossible to find the hacker's account.

Moreover, the combined compromised computers into a botnet − a network of thousands of machines whose resources were secretly used.

Found that some versions of the ZeuS trojan masks with a digital signature from Kaspersky Lab. After careful examination of this signature, some differences were identified, in connection with which the signature was considered a forgery.

In addition to versions for Windows, there are five more varieties of the virus for mobile devices (mainly for devices with Android OS).

When discovered ZeuS in 2009, the FBI did not know who was the creator of this virus; they knew only an anonym with the pseudonyms "Slavik", "Laki12345", and "Pollingsoon". But, as you can see, these pseudonyms do not say anything about the criminal's identity.

During this time, ZeuS has become a versatile weapon of any cybercriminal; with its help, bank accounts of individuals and large companies were emptied.

Years passed, and the creator of ZeuS Slavik behaved more than professional − the FBI still did not have a single clue that could declassify the criminal's identity.

Evgeniy "Slavik" Bogachev regularly released ZeuS updates, improving his spy brainchild. He gathered a team of enthusiastic hackers around him; as a result, investigators did not have time to recover from the number of new cyberattacks.

However, in September 2009, the FBI got hold of the correspondence of members of Slavik's group in Russian. They found mentions of hundreds of victims.

The intelligence also found out that the fraudsters used the services of money mules to cash out the stolen money: mules went to banks in New York, opened new accounts, and then withdrew particular money a few days later for a modest interest.

How the ZeuS fraud works

Image source – fbi.gov

There was a real money boom: tens of thousands of dollars appeared in accounts out of nowhere thanks to the transfers of Slavik and his accomplices!

This activity has become a real job for some mules: they withdraw money at 9 am and finish only in the afternoon.

Bogachev's criminal activities in the United States were just a drop in the ocean. In total, 196 countries of the world have been affected by ZeuS!

Computers were infected via email, infected files, phishing links, and social networks. It's was the first time in history that spread malware via social media. For example, several photo messages were sent to users via Facebook and redirected to sites with ZeuS.

The spread of ZeuS has particularly hard hit the United States, India, and Italy.

Interestingly, one of the ZeuS modifications contained a hidden message. The hackers expressed their gratitude to the developers of Kaspersky antivirus and Avira AntiVir and called the Nod 32 and Symantec antiviruses "stupid".

The original text of the message looks like this:

Thanks to KAV and Avira for the new quests. I like it! NOD32 and SAV are stupid!

In 2010, the FBI managed to arrest more than 40 members of the Slavik criminal group around the world, but the leader of the gang again eluded the special services.

Slavik, behind the ZeuS criminal scheme, remained a phantom − someone no one had ever seen.

The hacker hid for a year, but in the fall of 2011, cyber security experts noticed that new modifications of ZeuS appeared on the network.

The program's source code was in the public domain, which allowed everyone to use and improve the malicious program.

However, one version of the trojan still differed from others in its complexity and mechanisms of preservation & performance when attacked from outside.

It is how Gameover ZeuS was born.

Gameover ZeuS

Gameover ZeuS is a trojan to steal banking data and based on its ancestor ZeuS.

Unlike ZeuS, the new trojan uses an encrypted peer-to-peer system to communicate between its nodes and command and control servers, making it virtually invulnerable.

During infection, Gameover establishes a connection to the server, after which it can make the infected system unusable. Gameover ZeuS also has its botnet.

It is worth noting that used Gameover ZeuS to distribute another malware − CryptoLocker.

In June 2014, the US Department of Justice reported that a covert attack on a botnet called "Operation Tovar" temporarily interrupted the connection between the virus and its control servers. It was an attempt to free computers infected with Gameover ZeuS.

Experts who studied Gameover Zeus concluded that very skillful hackers led by Slavik control this program.

Well, Bogachev returned to criminal activity and created a new hacker group, Business Club.

Initially, Business Club attacked banks, and hackers were only interested in accounts with six-digit (and more) amounts.

So that the victim did not notice the loss of large amounts from the accounts, a message was displayed on their screens about an error or a failure in the banking system, which lasted for several days.

In just one "working" day, attackers could steal $7 million in one transaction!

It was no longer possible to hide such transfers, and hackers began to hide money inside the banking system itself in trillions of streams of legal transactions.

Experts say that the phenomenon of Gameover Zeus has revolutionized the world of cybercrime!

Gameover Zeus malware structure

Image source – lockmedown.com

In addition to stealing large sums of money, Slavik's group also introduced cyber blackmail, which continues to flourish today.

Hackers infect the victim's computer with a program that restricts access to all data and demands a ransom of $500 for unblocking. Cyber blackmail brought Slavik and his accomplices a good income due to the massive scale.

In November 2013, even the Massachusetts Police Station was forced to pay $750 in Bitcoin to remove restrictions from their computers.

Any special services and international organizations tried to stop the activities of the Business Club, but all their attempts were unsuccessful.

However, the FBI cyber squad J. Keith Mularski, having teamed up with private cyber researchers, began their investigation into the Slavik case. They turned to many international corporations for help, including Microsoft, to finally neutralize the spy group Business Club.

As a result of long research, experts found out that the group has about 50 criminals who paid a certain amount of money for membership.

Leaders of the Business Club organization

Image source – lockmedown.com

A few months after joint research, Fox-IT specialists from the Netherlands discovered an important detail: they could trace the email address Slavik used to run the Business Club on a British server.

Experts matched the email address with an account in one of the Russian social networks and found out that a certain Slavik is Evgeniy Mikhailovich Bogachev.

Investigators could not believe their eyes: could such a genius hacker have made such a ridiculous oversight? By no means! Many cyber experts have concluded that Bogachev has deliberately declassified his name to announce himself to the world.

Gameover Zeus was a means of stealing data and a sophisticated tool for reconnaissance purposes.

For example, someone, using a Trojan, searched for information about the Russian-Syrian conflict, weapons supply, and Georgian intelligence.

It is assumed that Bogachev is also cooperating with Russian secret services. Discovered that immediately after the Russian invasion of Crimea, part of the botnet began to search for classified files of Ukraine.

According to experts, Slavik could have started cooperating with the Russian special services back in 2010, imitating the cessation of criminal activity. Perhaps Bogachev entered into such an agreement with the Russian special services in exchange for his safety.

Elusive hacker

On June 2, 2014, the FBI and the US Department of Justice indicted Bogachev in absentia under 14 articles.

In 2015, the FBI announced that it was ready to pay a record $3 million to capture Evgeniy Bogachev. It is one of the highest rewards for catching criminals!

Bogachev was surpassed only by Maksim Yakubets − in 2019th the US State Department announced an award of $5 million for info about him.

At the end of December 2016, the United States included Bogachev on the sanctions list.

Despite the international wanted list and information about the alleged whereabouts of the hacker, he remains at large and out of reach.

There is no extradition treaty between the United States and Russia, so while in Russia, Bogachev can continue to live his luxurious life calmly and, presumably, help the Russian special services track an unknown number of people.

At the moment, the exact amount that Bogachev misappropriated is unknown…

Conclusion

The phenomenon of Evgeniy Bogachev once again demonstrates the power and flexible hacker thinking.

He is invisible because as long as he is on the territory of Russia, he is not in danger. Bogachev's actions are thought out to the smallest detail; he is cunning and ingenious − the absolute Mr. Evil of the cybercriminal world!

Do you think there is a person in the world who can stop Evgeniy Bogachev? Or will he remain a "thief in law", profiting from ordinary people?

If you want to know about the fate of other well-known hackers − please write their names (or any other info) in the comments under this post, and I will tell you about them.

Be careful in cyberspace!

Author
Darina Shramko
Cybersecurity specialist and researcher.

Leave a comment

click to select

1 comments for Zeus trojan retirement and never caught 3M worth creator

Anonymous's picture
Please write about Dark Dante

Please write about Dark Dante))