Black Hat 2015 The elusive head of one of the world's most successful online criminal gangs wanted by the FBI was quietly using the Gameover Zeus banking trojan for political espionage inline with Russian interests and may have the protection of Moscow, researchers contend.
Evgeniy Mikhailovich Bogachev, better known online as Slavik, has evaded arrest despite a $US3 million bounty set by the FBI.
Bogachev is thought to be the co-head of a six-member highly-secretive criminal circle calling itself the Business Club that was using the highly capable Gameover Zeus malware to fleece banks of more than an estimated $US100 million.
The unprecedented insight into Business Club by Dutch firm Fox IT reveals the Bogachev kept secret his investigations into Ukrainian, Georgian, and Turkish Government intelligence agencies from other members of the group who hail from those countries.
In one instance he probed Ankara regarding what it knew of the movement of Russian fighters to Syria, according to the research.
The work is a product of years of collaboration between Fox IT, Crowdstrike, and the FBI revealed at Black Hat Las Vegas this week.
"After looking at the whole set of search queries, it is quite likely that Slavik, who had set up and enjoyed full access to ZeuS command and control servers, was involved in more than just the crime ring around peer-to-peer ZeuS," principle security expert Michael Sandee says in the report[PDF].
"We could speculate that due to this part of his work he had obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia.
"This (espionage) is rather unusual to find in financial malware, and has fed speculation it could be one of the reasons why Slavik has so far been able to evade capture."
Borhgachev also redployed one botnet the Club previously used in bank raids to spy on the Ukrainian Government in the wake of the Euromaidan Revolution in 2014 which saw the seating of a more pro-Western government.
The Russian Interior Ministry did not immediately respond to a request for comment.
Membership of the Business Club requires long-term vetting, buy-in, and a profit-sharing agreement.
Krasnodar. Credit: Martin Hawlisch.
Business Club members including Bogachev are mostly based around the Russian town of Krasnodar, just under 100 miles northeast of the Black Sea port of Novorossiysk. However, some 50 outer circle members reside across Russia's 11 time zones.
This arrangement, Sandee says, enables the crew to attack global banks during normal business hours.
Australia is the first country on Business Crew's daily hacking hit list. The criminals then move to other parts of Asia, Europe, and finishing in the US.
Their tool, GameOver Zeus, is a private and custom version of the infamous Zeus trojan that sports a botnet of some 200,000 nodes. It was estimated to have stolen up to 30 terabytes of data, and was used to drain bank accounts, foist ransomware, and for Bogachev, for espionage. It was taken down in May last year when Bogachev was indicted.
Stolen funds are alleged to have been wired into bank accounts in shell companies on the Russia-China border utilising several Chinese banks.
The maturity of the model has impressed researchers.
"The maturity of how they evolved could have been an example out of a Harvard business book," Fox IT vice president Andy Chandler says.
"The Business Club … used their criminal talents to expand from retail banking to commercial banking and branch off to new areas like espionage and ransomware."
The core Club membership included the two leaders, a support crew, and "preferred suppliers". Each possessed specific skill sets and would implement certain features for the fraud operations. Borgachev used such talent to set up and secure Linux servers, fro example.
The research reveals the Club is the first to defeat two-factor authentication systems with 'hybrid token-grabber attacks', known internally as 'The World Bank Center' a preferred means of financial fleecing. ®