US authorities charged Dridex gang members for stealing over $100 Million

US DoJ charged two Russian citizens for deploying the Dridex malware and for their involvement in international bank fraud and computer hacking schemes.

The U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The 10-count indictment charged Yakubets and Turashev with conspiracy, computer hacking, wire fraud, and bank fraud.

The 10-count indictment unsealed today, concerning the distribution of the malware they used to automate the theft of sensitive financial and personal information like banking credentials, as well as for infecting their victims with ransomware in more recent attacks.

The Bugat malware a multifunction malware package designed to automate the theft of confidential personal and financial information.

The malware implements sophisticated evasion techniques, it was improved with new functionalities and its name initially changed in “Cridex,” and later in “Dridex.”

“According to the indictment, Bugat is a malware specifically crafted to defeat antivirus and other protective measures employed by victims.  As the individuals behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called “Cridex,” and later “Dridex,” according to the indictment.” reads the press release published by DoJ. “Bugat malware was allegedly designed to automate the theft of confidential personal and financial information, such as online banking credentials, and facilitated the theft of confidential personal and financial information by a number of methods.  For example, the indictment alleges that the Bugat malware allowed computer intruders to hijack a computer session and present a fake online banking webpage to trick a user into entering personal and financial information.”

According to the indictment, the criminal duo used the stolen banking credentials to make unauthorized transfers from the victims’ bank accounts to bank accounts owned by “money mules.” Then the criminals moved the money to other accounts or withdraw the funds and transport the funds overseas as smuggled bulk cash. 

“For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world,” said U.S. Attorney Brady. “Deploying ‘Bugat’ malware, also known as ‘Cridex’ and ‘Dridex,’ these cybercriminals targeted individuals and companies in western Pennsylvania and across the globe in one of the most widespread malware campaigns we have ever encountered.  International cybercriminals who target Pennsylvania citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.” 

Yakubets is considered the leader of the gang behind the Bugat malware and botnet, the cybercrime group known as Evil Corp, while Turashev allegedly was tasked with other functions, including system administration, management of the internal control panel, and oversight of botnet operations.

“Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft,” the U.S. Treasury Department said in separate press release. “This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers.”

The U.S. Department of State’s Transnational Organized Crime (TOC) is offering a reward of up to $5 million as part of its Rewards Program for information that could allow arresting Yakubets.

According to the DoJ, Yakubets is also suspected to provide “direct assistance to the Russian FSB intelligence agency.

“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB.  As a result, Yakubets is also being designated pursuant to E.O. 13694, as amended, for providing material assistance to the FSB.  Additionally, as of 2017, Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.” continues the U.S. Treasury Department.

Prior to working with its accomplices for Evil Corp, Yakubets also collaborated with Evgeniy Bogachev, another popular Russian cybercriminal responsible for the distribution of the infamous Zeus, Jabber Zeus, and GameOver Zeus malware.

According to the complaint, the deployment of the Zeus malware resulted overall in the attempted theft of an estimated $220 million USD, with actual losses of an estimated $70 million USD from victims’ bank accounts. 

The Treasury Department also sanctioned other cyber criminals linked to the Evil Corp gang:

• Denis Gusev, a senior member of Evil Corp, is also being designated today for his active role in furthering Evil Corp’s activities. Gusev also serves as the General Director for six Russia-based businesses. These entities include Biznes-Stolitsa, OOO, Optima, OOO, -Invest, OOO, TSAO, OOO, Vertikal, OOO, and Yunikom, OOO.
• Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy, Dmitriy Slobodskoy, and Kirill Slobodskoy for carrying out critical logistical, technical, and financial functions such as managing the Dridex malware, supervising the operators seeking to target new victims, and laundering the proceeds derived from the group’s activities.
• Aleksei Bashlikov, Ruslan Zamulko, David Guberman, Carlos Alvares, Georgios Manidis, Tatiana Shevchuk, Azamat Safarov, and Gulsara Burkhonova for being part of the network of money mules who are involved in transferring stolen funds obtained from victims’ bank accounts to accounts controlled by members of Evil Corp.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Evil Corp, Dridex)

[adrotate banner=”5″]

[adrotate banner=”13″]