From Russia, with Malware: US Charges Hacking Group Evil Corp. In $100M Bank Fraud

Evil Corp. hacking group bank fraud

Call it Russian interference of a different sort that netted $100 million from banks and financial institutions (FIs) in more than 40 countries.

What would you expect from an outfit named Evil Corp.? Sometimes, it seems, there is truth in advertising.

The U.S. Department of Justice issued a multicount indictment Thursday (Dec. 5) against two Russian citizens, Igor Turashev and Maksim V. Yakubets. They are connected with a Russian hacking group known as Evil Corp., which has been known to release malware. The duo allegedly — and with the help of more than a dozen others — worked to deploy malware known as Dridex (aka Cridex and Bugat) and for committing wire and bank fraud.

The malware was used to lift banking credentials, financial data and personal information from victims, and for deploying ransomware.

In its release, the Justice Department said “the State Department, in partnership with the FBI, announced today a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets.”

Yakubets, who also has been known as “aqua,” has been cited as being the leader of Evil Corp., which is the group of hackers behind the Dridex malware used in phishing email attacks.

The U.S. Treasury Department also said that he has provided “direct assistance” to the Russian government, and has ties to that country’s intelligence organization.

The Scope Of The Damage — In Dollars

All in all, the malware campaign was successful enough to claim banks as victims across more than 40 countries to the tune of $100 million in stolen funds, according to the Treasury Department.

“Prior to serving in this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy Bogachev, a previously designated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes,” said the Treasury release.  The charges levied at Yakubets state that Zeus was aimed at business computers — thousands of them — that stole passwords, account data and other valuable means of getting into online bank accounts. Losses from those malware deployments came in at $70 million.

The schemes have spanned roughly a decade, according to the indictments, which said that Turashev had been tied to Evil Corp., too, and had administrator beginning in 2015, and helped spread the malware.  Botnets were also deployed, according to the agencies.

As reported by Wired, the malware, tied to malicious links, would use keyloggers to access passwords or would create “fake banking pages” that induced victims to enter credentials.

And here’s perhaps a new wrinkle in the hacker model, with Wired reporting: “Evil Corp was apparently also in the franchise business. According to court documents, Yakubets gave a UK resident access to Bugat in exchange for $100,000 upfront, plus 50 percent of all revenues, with a minimum take of $50,000 a week. Like any good franchisor, Yakubets offered technical support as needed.”

A number of other individuals and companies were sanctioned by the Treasury Department in connection with Evil Corp, including Denis Gusev, allegedly a senior member of the hacking outfit, and six others for carrying out “logistical” functions of the effort. The announcements said that eight other individuals were part of “the network of money mules who were involved in transferring stolen funds obtained from victims’ bank accounts to accounts controlled by members of Evil Corp.”

The banks, companies, nonprofits and municipalities victimized, according to the Justice Department, stretched across states including California, Illinois, Iowa, Kentucky, Maine, Massachusetts, New Mexico, Nebraska, North Carolina, Ohio, Texas and Washington.