Darknet Diaries - 111: ZeuS
Episode Date: February 22, 2022ZeuS is a banking trojan. Designed to steal money from online bank user’s accounts. This trojan became so big, that it resulted in one of the biggest FBI operations ever.SponsorsSupport for... this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from Keeper Security. Keeper Security’s is an enterprise password management system. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization. Get started by visiting keepersecurity.com/darknet.
Transcript
Discussion (0)
When you put your money in the bank, you do it for safekeeping, right?
I mean, you need to collect it somewhere, and under your mattress doesn't seem like the best idea.
So we use bank accounts.
Our paychecks go into it, and we pay our bills from it.
And we can take cash out or transfer money to someone else.
And yeah, it's all pretty easy because now we can do all this online.
Before, we had to go into the local branch and wait in a queue and get the bank teller to do what we needed. It was a bit time-consuming and a little boring. But not anymore. Now we can
just log into our bank account via the bank's website and, yeah, just go ahead and do whatever
we need and then log out again. And now there are apps for cell phones so that you can just do it
on the go. You don't even have to be home anymore to check your bank balance or pay bills.
All this stuff is going digital, which makes it easier for us to use.
The problem with that, though, is that it's not just easier for customers to use.
It also means it's easier for criminals to rob banks.
Let's be honest about it.
Millions of bank accounts, from standard personal accounts to big business accounts,
all just sitting behind a login screen.
And that's just a flashing beacon for hackers that have an eye for financial fraud.
Back in the mid-2000s, online banking had only been around for a few years.
It was Wells Fargo in 1995 who was the first bank to offer internet banking to its customers.
And their customers loved it.
Once that started, there was no going back.
And I like to think that the definition of information security
is to be able to conduct business in a hostile environment.
And the internet is hostile.
If you put something like a bank online,
you can absolutely expect it to be hammered on
by people trying to use their computers to steal money from it.
Because the more the world goes digital,
the more opportunities there are for criminals to do things. It's like lighting up opportunities for them to
find places they shouldn't be going to, to steal things that don't belong to them. We love how easy
and quick it is to open an app and go to a website and do all our banking in seconds. But that same
simplicity is exploited by criminals. And this story is about a powerful
online banking trojan and the minds behind it. It grew to steal more than 70 million dollars
and without looking like a crime had even taken place at all. It's about how stealth and
perseverance can seemingly make the bad guys always look like they come out on top. It's the ultimate multiplayer strategy game,
a game where two very capable, sharp teams compete. On one side of the board are federal agents,
bank security, and security researchers. And on the other were thieves, criminals, and hackers.
Strategic, calculated moves from each side pitted one force against the other.
And the outcome?
Well, you'll have to keep listening for that.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless and it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service that finds and removes personal information from hundreds of data brokers' websites, and continuously works to
keep it off. Data brokers hate them because DeleteMe makes sure your personal profile is
no longer theirs to sell. I tried it and they immediately got busy scouring the internet for
my name and gave me reports on what they found, and then they got busy deleting things. It was
great to have someone on my team when it comes to my privacy. Take control of your data and keep your private
life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and
use promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com
slash Darknet Diaries and enter code Darknet at checkout. That's joindeleteme.com slash
Darknet Diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
I'm going to take you back to 2006. By this point, mainstream online banking had been around for
about 10 years. Banking fraud wasn't exactly new, and it had been going on for years, and it was just turning more and more electronic. And that meant that people's bank
accounts had now become fair game from anywhere in the world. There was one switched-on guy who
had been sitting and watching all this. He was in Russia, was very interested in tapping into the
never-ending supply of money to steal. He was young, just 22
years old, but he was ambitious. Don't be fooled by his age, though. At 22 years old, he was very
sharp and calculated, a meticulous planner, and a fantastic coder. This coder went by loads of
different usernames on the web and underground forums, but he eventually settled into one name, Slavic. On October 11, 2006,
a new forum message appeared on the website techsupportguy.com. This website had been going
on since 1996 and was one of the first that offered free internet tech support. In those 10
years, the site gained more than 210,000 members and had 27 individual forums. And on one of the forums, a user asked for help.
He said he found some weird code on his sister's Windows computer and he couldn't identify it. He
posted a sample of it and asked if anyone could help figure out what this was. The code was new
and different and not something that people recognized. The code was passed around and
picked up by some security researchers and someone called out that this code was
malicious. The researcher called this malware WSN Poem, after one of the names of the directories
in the malware. So WSN Poem, they discovered, crawled into people's computers very quietly
and walked around their files, their storage, and their browser, hunting for usernames and
passwords that it could steal and report back to the malware owner.
And it was fast, too.
It would capture all the credentials on a daily basis and then seemingly send them back to the hacker that launched it.
Now, the credentials it wanted, more than any others, was the username and password for online bank accounts,
which could be the most valuable credentials we have.
WSNPoem was a banking
malware that tried to steal money from people's accounts. If it found the user details of a
banking site, it would report that to the malware operator and someone would go log into the bank
and try to figure out a way to take the money that was in there. It was rumored at the time
that this was a Russian hacker group called Uplevel who wrote WSN Poem, but really, no one knew for sure.
Things started to move pretty quickly after that. Eight months later, in June 2007,
came a bigger discovery by SecureWorks. Some researchers there found a new version of this
banking malware, and they called it PRG and had it down as a more advanced and effective version
than the WSN poem malware.
Whoever was behind these attacks wasn't wasting their time either.
In August, the SecureWorks team discovered a huge database of stolen data,
and they traced it back to the PRG Trojan.
Lists and lists of bank details, card details, social security numbers,
usernames, and passwords were being sucked up by this banking Trojan.
SecureWorks calculated that 46,000 victims who had all been hit with this malware
had their data stolen.
Now it was all in this big data dump,
openly sold to underworld criminals.
By December 2007,
the hackers who deployed the Trojan
had stolen over $200,000
from commercial bank accounts across the US,
UK, Italy, and Spain.
And this is how it worked.
The hackers were sending out malware through spam emails and drive-by downloads, getting it into as many machines as
possible. Once installed, it seeked out and sucked up all the credentials stored on that computer.
Then the malware would sit and wait for users to log in to their online bank accounts. And as soon
as it did, the malware would alert the hackers,
who would then jump into the session, get on that user's computer,
and transfer money from the user's account to their accounts.
It was as if they were in the room with the user on the same machine,
taking money out of the account right under their nose.
It was sneaky and stealthy and very successful.
It was the modern day equivalent
of daylight robbery, only it was done in the shadows, like an invisible invader. These early
wins were proving to the hackers that they were onto something big, and if they could just improve
the malware a little bit and scale it up, they could steal a lot of money this way. So they
continued to develop their malware and their skills. Roll forward
another six months and there were more discoveries by SecureWorks. As they watched this Trojan expand
and develop like a growing snake, there was another name change. Now it was being called Z-Bot,
short for Zeus Bot. And this malware posed as a double-edged threat. You see, the banking malware not only
stole sensitive and valuable credentials and then robbed the user's bank account, that would be bad
enough, right? But then it turned this infected machine into a spy, a slave computer that was
completely under control. The machine would join a botnet, a giant network of infected machines. The hackers were stacking up these bots and utilizing their power as a single formidable force to do some really shady stuff.
By now, everyone analyzing the different versions had trashed the idea that this was a new hacker group.
Now they were sure whoever was behind this Zeus bot was the same individual who had created PRG Trojan and
the WSN Poem Trojan. One author was the mastermind, and whoever it was, he was raking it in. That
author was the young Russian, going by the name of Slavic. By 2008, Z-Bot became known just as
Zeus, a name that Slavic had apparently given to it at some point through its development.
So you've heard of Zeus, right? Because it's big in Greek mythology, and a lot of people actually named their dog Zeus.
But Zeus was the king of the Greek gods, the god of the sky and thunder and lightning.
He was the ruler, which I think is why Slavic named it this. He liked the idea
of there being a single botnet that ruled them all. And it actually seems fitting because
Zeus would eventually become the king of all banking malware.
Not only was Slavic a good coder, he was also good at business too. He wanted to make
more streams of income with this malware
and he kept updating Zeus and developing it and adding new features regularly. A lot of times when
malware is created there's just like one or two versions of it. Whoever wrote it just does the
job they need to do with it and it's done. But Zeus was different. Slavic was using it himself
to rob people but he also built Zeus to be a crimeware kit
that he could sell on underground forums and on the dark web.
It was like a DIY hacker's toolkit,
so they could build their own banking Trojan botnet.
He would let others use it for a fee,
and then he would even supply continued support for them.
Because there's a lot of people that want to have the power of a botnet at their fingertips, but they just don't have the skills to build one.
So in comes Zeus with this easy-to-use, no-tech-knowledge-needed interface to spread
and listen for commands from any of its operators. But it was still up to Zeus' customers to figure
out what to do with the botnet. Back in 2007, another hacker group wanted to steal banking logins, but
they were doing it through phishing email. So sending out spam emails, trying to convince
people that this is their bank and they need to log in and they need to click this link.
This group in particular was doing very well at this. They were skilled at sending out emails
that looked like they actually came from your bank, just they hadn't. They were fake emails
with links that look exactly like the banking login site.
But if you logged in, you just handed your login details to the criminals.
That group was called Rockfish.
They specialized in phishing campaigns, targeting banks to steal login details.
And they'd been going since 2005.
Their earlier campaigns always had Rock in the fake domain names, which is how they got their name.
Now, Rockfish were widely considered to be one of the biggest phishing groups in the world.
And by 2008, they were adding Zeus to their arsenal.
Rockfish began pushing the Zeus malware out along with their phishing emails.
So if you got one of these spam phishing emails, you could be hit in two different ways.
You could either click the link and get the fake version of the bank login. And if you did put your password in, then you just gave
them your password. But if you didn't do that and went to your bank account manually or used a
bookmark or something, that's when Zeus would kick in and capture your username and password as you
typed it on the screen and send that to the hackers. In time, Rockfish gave way to New Blood, another group called Avalanche.
But it's probably safe to say that this new group had a few members of Rockfish that moved into it.
Avalanche liked Zeus too, and the better that Zeus had become,
the more popular it was with the underground criminals.
They loved the idea of buying a credential thief and botnet rolled into one.
For ph fishing groups like
Rockfish and Avalanche, Zeus offered a secondary way for them to make money and lots of it. Layering
up their emails like this expanded their earnings potential big time. Avalanche were also known to
make use of the Cutwhale botnet, which was pretty big around this time. And the Cutwhale botnet,
along with its friendly loader Pushdo, eventually integrated Zeus into it. And Zeus integrated Cutwhale into it. It was a great combination, making it even
more devastating for everyone to get infected by it. Because using existing botnets to spread
banking Trojans was a very effective technique. Those botnets were already inside thousands of
computers sitting and waiting for instructions. Might as well put Zeus in there to start sucking passwords up while it's there. Zeus was an exceptionally clever bit of kit, on a whole
nother level to your standard phishing ideas. Once Zeus was on a computer, it dialed into the
command and control servers to get instructions on what to do next. Now, the Zeus crimeware kit
came with Zeus Builder, which was a nifty little program that allowed the operator to specify the behaviors and actions that they wanted each of their new bots to carry out.
It was easy to use and reliable. Zeus was able to carry out man-in-the-browser attacks,
when on a user's computer, it would intercept the web page that the user was trying to go to
and alter the HTML code that would be rendered in the browser. So the user still gets the website they are expecting,
usually their banking homepage or something,
which makes it not suspicious at all.
But now the page has new fields asking for additional details
like your PIN number or social security number.
The user has no idea that there's someone in the browser
trying to steal this information from them.
Slavic had
been improving, polishing, and perfecting his version of Zeus. He updated it, kept adding new
features, and better functionality. This was an evolving bit of kit, and Slavic was on the ball
and keen to keep everything rolling forward and doing better at every step. Ambitious, greedy even.
This guy knew what he wanted, and he was pushing hard for Zeus to get it for him.
By May 2009, the FBI was starting to receive reports of large-scale bank transfers
that were fraudulently sent, but had seemingly no evidence of a security breach.
An FBI special agent was based in the Cybercrime Task Force in the Omaha field office in Nebraska,
and he was a few months shy of his first year
as a special agent and didn't know it,
but he was about to be sucked into a complicated web
weaved by a master coder
determined to stay one step ahead at all times.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks
making the news daily, taking action on your company's exposure is more by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or infostealer infections. Get your free Darknet exposure report at
spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
The First National Bank of Omaha has been around for 160 years.
It's family owned and independent, and it's a subsidiary of the First National Bank of Nebraska and offers online banking services to its customers.
In May 2009, their customers reported that they had $100,000 swiped from their bank accounts.
It just disappeared.
So the special agent from the FBI gets on the case and he starts to examine the
bank accounts to try to figure out what happened. When the account transactions were examined,
it didn't make sense though. The special agent was looking for someone logging into these websites,
maybe from overseas or from a suspicious IP, but the stolen money was transferred by the customer
from the customer's IP at home on the customer's very browser.
The transfers were sending the money to accounts overseas.
But the thought crossed the FBI agent's mind that maybe these customers were just trying
to commit fraud and lying that the money was stolen.
But no, that's too obvious.
The bank could see who transfers the money.
So there must have been something else here.
But how could the thief be in their home
doing these transfers? The money was being transferred from the targeted accounts using
ACH transfers. This is how you usually pay someone or pay your bills online. Now, what was weird was
that for First National accounts, at least, they had a load of extra security layers before an
account could even get into an online account to do anything.
There's the standard username and password, but also there was a security question or pin number that you needed, which is good. It's an extra layer of security you want your bank to have.
Well, for First National, they used to send their banking customers a list of pin numbers in the
mail. So whenever they wanted to log into their online bank account, they used a pin number from
the list as well as their username and password to get in.
But First National was clever, too.
See, generally people are creatures of habit, right?
So First National logs metadata stuff for their customers, like when they usually log in, from what IP address, and what browser they usually use.
All this stuff. So if a login attempt happens, but it's not from the typical browser or IP address that they're used to seeing, then it could trigger an extra security check and block the login until the user confirmed that it's really them.
And the point of telling you all this is that there's all strange login from Russia, that should trigger some alerts, right?
So these extra security measures were designed to stop hackers from doing that.
Yet still, in this case, the thieves were able to get into these accounts and take large sums of money out.
And so the FBI was baffled by how they were doing this. Weeks later, the U.S.
security intelligence company iDefense made a fine that turned everything on its head.
iDefense monitors and defends against cybersecurity threats. And on June 1st,
they found a brand new version of Zeus. And this one came with some pretty advanced capabilities.
To say Slavic had upped his game would be a bit of an understatement. For the last few years, Slavic had used many different usernames on the web,
but he was often seen talking about Zeus and took ownership as the author.
And he had cycled through lots of usernames like A to Z, Monster, Lucky12345,
and polling soon before he seemingly decided to stick with Slavic.
Slavic had made a lot of money selling Zeus as a crime war kit.
Imagine $3,000 on average for each one he sold. And he sold a lot. By spring 2009, it was believed
that there were 5,000 different customers using Zeus. The scale of this malware and the number
of hackers using it was just huge. But Slavic felt like he was getting ripped off. He was not happy
about it. People were trying to resell their copies of Zeus and their own customized versions
of it, using the Zeus name that was well known and respected because of Slavic's excellent coding and
continued updates. And they were making profit off of his work. There was another problem too. Banks
were getting better at their online security. There were more kinds of two-factor authentication coming in,
more layers for hackers to have to get through before they could get into a bank account.
So in early 2009, Slavic teamed up with Avalanche,
who were still dominating the market in their banking phishing scams,
and wrote the next big version of Zeus.
This would be called Jabber Zeus.
So the DIY kit for Zeus gave the basic functions needed for Zeus to steal credentials once it infected a machine.
And it had the Zeus builder so that people could make their own botnet.
But on top of this basic package were extra modules and add-ons too.
So there was the form grabber made for Firefox for a cool $2,000. And there was another feature, the Back Connect module, which was $1,500 and allowed the
hacker to redirect any tracing of their transfers out of bank accounts back into the infected
computer itself. This is so the transfers would always just trace back to the computer of the user
and not to the hacker's computers. The big additional module available with Jabber Zeus
was the Jabber Chat Notifier, but you had to pay an extra $500 for that.
The add-on included Jabber, which is an instant messaging app. So with this module enabled,
Zeus was programmed to send an instant message in real time to the hackers whenever a user or
an infected machine logged into an online bank account that had over a certain amount in the
account balance. This made it even easier for whoever was running Zeus to get notified and interact with the malware on someone's machine. Can you imagine a new instant
message just pop up from an infected machine telling you, hey, I just found a bank account
with $100,000 in it, and here's the username and password. The chat messages would send you
login credentials, bank account details, the balance, and the two-factor authentication code
that the user used to log in with. This allowed hackers full access to the bank account
as long as they acted quick. You see, the beauty of this new model is that hackers could sit back
and see live updates via chat messages when their target logged in. What two-factor authentication
code was used, what backup questions were answered, and the hackers would capture all this,
and they would simply hop into that computer to process some transactions. And the computer user just had no
idea that bank account transfers were being done on their machine in the background. And there was
one more module available for Zeus, the virtual networking computer module. For $10,000, this would
allow the hackers to 100% control the infected
machine using an active virtual connection. It was several steps further than the Bank Connect
module. It meant they could essentially tunnel all their traffic through the user's computer to hide
their footsteps. This way, the bank thinks the user logged in from home and not from Russia or
wherever the operators were from. With the development of Jabberzeus, Slavic
was employing a small team of talented hackers to help him steal money from banks, people he knew
and hand-selected. They started to focus on corporate accounts, like big corporate accounts
with hundreds of thousands of dollars in them. This would mean they could siphon out much bigger
sums of money and transfer them to the hackers' accounts. But one of the biggest
challenges for these thieves is after they get into someone's bank account, how are they going
to get the money out? Because they have to know how to launder money so that it's not tracked
back to them. Electronic transfers like ACH are great, but the robbers can't just transfer your
money straight into their bank account because that would lead the FBI right to them. No,
they needed to hide their trail
and muddy the waters a bit,
putting some distance between the fraud
and their own accounts.
And the answer to that is money mules.
The hackers behind Zeus needed to find people
willing to act as go-betweens,
a middle point between the fraud and the thieves.
It's sort of like an air gap for the money
to make it harder to trace.
So what they do is advertise a job
on some online job board like Craigslist.
Now, obviously, they don't advertise
Money Mule for hire.
No, they're very deceiving about this.
Perhaps posting a job for a writer
or someone to do some clerical work at home.
But when they hire the person to do the work,
then they ask them
to commit a crime. But the person doesn't realize it's a crime. The thieves will say something like,
listen, we need to pay one of our suppliers, but our bank is having problems. Is it possible for
us to send you the money and then you write a check to them? And by the way, you can keep 5%
of the money as a bonus for helping us do this. And so the unwitting money mule agrees. They get the stolen money added
to their account. Then they write a check for a little less than the full amount to go to the
thieves account or another money mule's account. And the reason why this is illegal is because the
money mule is laundering money. They're taking stolen funds and passing it along. It's an easy
job. You don't have to leave the house and it pays well. So lots of people are
tricked into doing this. It might not smell legit, but hey, if the job's paying nice, maybe that's
enough to keep people from asking questions. Just keep quiet, do the easy work and get paid.
No big deal, boss. I got it. What these money mules don't realize is, yeah, they're just moving
money about, but they're totally liable for it and are probably going to take the rap for it. What these money mules don't realize is, yeah, they're just moving money about, but they're
totally liable for it and are probably going to take the rap for it. There's been so many cases
of money mules going to prison for years for doing this. So a word of warning, if you ever see a job
posting online that seems suspicious or too good to be true, it probably is. Don't touch it. So once
this new version of Zeus landed, there was just an onslaught of attacks using it.
Slavic was still selling Jabber Zeus version as a kit, but now he had some new terms.
For the older Zeus, he had gotten pretty sick of people ripping off his code and bootlegging different versions of it.
So he decided to do something with Jabber Zeus that was pretty rare for malware at the time.
He hard-coded an ID system into it and got real selective on who he
sold it to. So when people paid for a copy, they got one, but that would only work on one machine.
It was basically like a license that you could only run on one computer unless you paid for
another copy. Slavic was tightening things up and preparing for some busy times ahead. On June 29,
2009, employees at the First Federal Savings Bank spotted something abnormal in a client's bank account.
The account belonged to Bullitt County Fiscal Court in Kentucky.
That's the bank account for the court in Kentucky.
The bank employee saw there had been 25 new employees added to the payroll system starting on June 22nd, just a week before. More than that,
straight after a new employee was onboarded, they were transferred a sum of money from the account.
But the transfers were all under $10,000, which made it really hard to notice. It was a stroke
of luck that this bank employee spotted it at all. After checking in with the fiscal court,
the court knew nothing about this activity. They immediately started to process and reverse these payments because these weren't legit at all.
But what they couldn't figure out is how it had been done.
You see, this court had some extra security measures in place.
On this particular account, you needed two people to sign off on all transfers.
And specifically, it required a sign off from the Bullitt County treasurer
and judge. Yet somehow these hackers bypassed that and got their transfers through. Both the
bank and Bullitt County reported the fraud to the FBI. The news reached that special agent who was
investigating the same problems in Omaha and realized pretty quick the clues matched. These
transfers looked very similar to what was going on in Omaha.
On July 2nd, Brian Krebs wrote an article about what happened in his Washington Post column. He said he had a source inside the investigation who told him exactly how the hackers had carried this
out. They also told him this was the work of Jabber Zeus. First Federal Savings was a bank that had
customers' profiles in place for all their account holders.
So this was like a profile of the usual and expected online behaviors of their customers.
This included stuff like the device and operating system they usually log in with, the browser that they usually use.
And if all this matched their accounts, it would let the transaction through.
But if it didn't match, it would send another security check to the email address to authenticate.
You know how it goes.
Like when you log into Amazon or Google from a different device,
you need to verify by going through an extra check before it lets you in.
It's the same idea here.
Anyway, so this is what was set up on the account for Bullitt County.
But what surprised people was this still wasn't enough to stop the thieves getting in and making these illegal transfers.
Why?
Because they were using Jabber Zeus. And this is how they got around the security hurdles. The thieves had targeted a
specific person, the county treasurer, knowing that this person is probably who had access to
the bank account. So they infected the treasurer's computer with Jabber Zeus. And I don't know how,
maybe through a phishing link or something. But they got the malware on there and it did what it was designed to do. It went off and hunted around for
the username and password for the first federal saving online bank account. But they needed more
than that. So Jabber Zeus also got them the treasurer's email account details. Using the
back connect and VPN modules, the crew made sure that they were going through the treasurer's own
internet connection when they logged into the bank. This way, when anyone looked back to try to trace what
happened, it would look like it was someone at the treasurer's computer who had done this.
So step one is complete. Next, they logged into the bank account as if they were the treasurer,
and they went to the section for details of the two people who were required to sign off the
transactions for the account. They already had the treasurer's details, that was fine, but they needed the judge to approve these transactions too. So in order to do that,
they saw that the treasurer could reset the judge's password, and so they just did that,
and they were able to get into the judge's account that way. So once they got in, they wanted to
transfer money out, and what they did is they had 25 money mules ready for money.
And so they just created 25 fake employees that would be on the payroll and made transfers of
money to all 25 of these people and then logged in as a judge and approved all these transfers.
It sounds like a lot of work, but I think they did it all in less than 10 minutes.
They stole $415,000 from Bullitt County doing this.
And it was just sheer luck that the bank spotted this,
and because they acted quickly,
they were able to reverse some of these transfers
and recover some of the money.
The crew behind Jabber Zeus were on a roll.
They hit banks, small businesses,
even schools over the following months.
Anywhere they found good money,
sitting in online bank accounts. Their range of targets were pretty varied. The bank account owned by
All Things Possible was hit in early July. The same day, Armstrong Fitness Inc. was hit. And
just over a month later, the Franciscan Sisters of Chicago had their account hacked and money stolen.
There was no one this group wouldn't steal from. but their crusade of bank fraud wasn't going to last forever.
The FBI were investigating more and more of these types of attacks.
They had begun to recognize the hallmarks of Jabber Zeus.
There were a lot of common factors across this fraud, which made them think it was the same crew.
In September 2009, they finally got a break.
The FBI managed to trace the domain of the Jabber server, which was used to send instant messages by Zeus. The malware led them to a domain called incomeet.com. The IP address led them to a
server company hosted by Ezi.net, which was in Brooklyn, New York. Being a US-based company,
the FBI was able to issue a search warrant and see the extra details of the customer that was
paying for that IP and server. The feds went there and saw the
computer that was being used. It was running CentOS 5.0, had a 500 gigabyte hard drive,
two gigabytes RAM, dual core AMD processor. The FBI's first question was, who's the customer
using this server? And the best information they got was that it was an individual calling
themselves Alexei S, who said they were from a company based in Moscow in Russia.
Back in Omaha, Nebraska, FBI engineers started to examine the contents of this server.
What they had was the full Jabber server that the Jabber Zeus crew was using for their attacks.
It had logs and records of every attack, bank details and credentials that they'd stolen,
the names of the banks and businesses that have been unlucky victims. But it also had, to the sheer surprise of these engineers, the full backdated instant
chat logs between members of the hacking crew.
It was all there, black and white, and it was all in Russian.
This triggered a long process to try to translate all the chats.
But by the end of it, the FBI had an absolute gold mine of evidence. There were also
a list of victims that the FBI could now go to and inform them that their accounts were hacked into.
By this time, Slavic was using Zeus to make money in three different ways. He was using it to steal
money from banks, he was renting out the botnet to people who wanted to use it, and he was selling
the Zeus malware for well over $8,000 for anyone who wanted to use it for themselves. He was bringing in a ton of cash with this endeavor,
and he wasn't slowing down either. He went on to add even more new features and came out with Zeus
V2, which gave the users ability to monitor network traffic, capture screenshots, record
victims' keystrokes, steal certificates, and connect to other banking systems. But of course,
other people were seeing how effective this malware was
and wanted to get in on the profits too.
A couple of people named Gribbo Demon and Harderman
took Zeus and modified it to make a new malware called SpyEye.
First versions were terrible, but the kit cost just $400
compared to Zeus, which was over $8,000.
Because SpyEye was so cheap, it started to attract attention,
and the more people bought it meant the creators were spending more time improving it.
And as SpyEye improved, the price went up from $400 to $1,000. The team behind SpyEye wanted
Zeus' customers and targeted them with deals and specials, which created a power struggle between
Zeus and SpyEye. SpyEye was also programmed so that when it infected a machine,
it would check to see if Zeus was on it and it would delete it.
And so a battle of botnets began.
Slavic, of course, did not like this and was like,
no, I don't think so.
This is rude.
And so he updated Zeus to try to delete SpyEye and this back and forth continued.
Then suddenly and strangely, in October 2010, both Zeus and SpyEye made an announcement
that Zeus would no longer be available for sale and that the Zeus business was going to be handed
over and merged into Gribble Demon SpyEye. This was one weird and unexpected announcement.
One side just suddenly giving up and now they're friends and merging? Gribble Demon
and SpyEye looked like they were coming out of this battle victorious and was leading the show
now. Some people thought that Slavic wanted to retire and took this opportunity to hand over
the reins and quietly slip into the shadows of the internet while someone else takes all the heat.
But the merger never actually happened.
SpyEye never took on Zeus's code or features or botnet.
Meanwhile, the FBI was following clues and trails and was paying very close attention to the activities of Zeus and SpyEye.
The investigations led them to discover there was a SpyEye server in Atlanta, USA.
The FBI was able to issue search warrants to infiltrate the server
and found it was controlling over 200 bots
and had information pertaining to a lot of financial institutions on that server.
This gave the FBI a lot more clues as to who was behind SpyEye.
Then 2011 rolls around and suddenly the entire set of Zeus source code
is leaked online. All of it.
This meant that anyone could develop their own version of Zeus and make more malware. And by
this point, Slavic had gone dark and silent. The Zeus source code is available online and being
used by all sorts of people with different ideas. SpyEye was creating new updates and developing
their malware. But then quietly,
Gribbo Demon disappeared and was no longer active on the underground communities.
But while to the outside world, Slavic had seemingly disappeared and gone silent,
he had in fact been working on a new version of Zeus, V2.1. He changed it from a repeating
license software to one that was based on a subscription model delivered via the cloud.
On 2011, Zeus v2.1 became Zeus version 3, and it was the first online banking malware to be offered as a service.
M-A-A-S, malware as a service.
And this would soon develop into a new version of Zeus, which had peer-to-peer capability.
And that version was
called Game Over Zeus. And Game Over Zeus was the most effective and successful version of Zeus yet.
In September 2012, someone used it to steal $465,000 from a company and sent the money to
an account in China. And in September 2012, someone used Game Over Zeus to steal $2 million from a U.S.
printing company. And I'm actually not sure how successful this was or who did it, since some of
these heists can ring alarms and bank employees can scramble to freeze transfers and recover the
funds before the money mule can send it to the next hop. And we really don't know who was doing
these heists either, since Zeus can be used and bought by anyone.
What we know is that Game Over Zeus was used in the robbery, but we don't know who was using it. But these are examples of the different types of licks people were going after with it.
Regardless if Slavic was the one behind the heist or not, he was certainly making a ton of money with Game Over Zeus.
Grebo Demon, the maker of SpyEye, went on holiday to the Dominican
Republic, but little did he know he was being watched by the FBI. And they alerted the Dominican
Republic authorities to arrest him and extradite him to the U.S. He was charged with bank fraud
and money laundering, and he pled guilty for creating the SpyEye malware. Gribbo Demon's
real name was Alexander Panin, a 27-year-old from Russia, and he was sentenced to nine years in prison for creating the spy eye malware.
But along with that arrest was another spy eye developer, Hamza Bendelaj, a 27-year-old from Algeria.
He was responsible for marketing and spreading spy eye and using it to attack victims and send spam and malware.
Hamza was sentenced to 15 years in prison for his role
in SpyEye. In the spring of 2012, Microsoft announced they had seized over 800 domains
that were used by SpyEye and Zeus botnets, and they worked with authorities to turn over
information that they discovered from this. A few more security researchers joined in to help
Microsoft's digital crime unit to attempt to take down the botnet by attacking its command and control servers and taking down domains involved.
See, the Zeus botnet had to receive instructions from a central authority for what to do.
And if you could take down that central system, the whole thing would become inoculated. But that
central system was hosted in a place that was not touchable. So the next best thing to do is take
down the domain name that
points to that system, essentially making it so the bots don't know where to go for commands.
And you can do this by reporting malicious domains to certain places to get them sinkholed,
but this has to be a coordinated takedown to do as much damage as possible to the botnet in as
little time as possible to not allow it to recover somehow. So the coordinated sinkholing of domains was executed,
but it did not take down the Zeus botnet. Game Over Zeus was built with impressive resiliency,
and it just switched to a whole new set of domains and command and control server.
This was going to be very hard to take down. By the summer of 2012, the FBI had enough evidence
of who was running Zeus that they issued an indictment for 10 people
involved with operating Zeus malware.
But they didn't want to tip their hand and let the
criminals know they were onto them, so they kept this
indictment sealed and secret.
But among those indicted was Slavic,
the mastermind behind Zeus.
The FBI infiltrated the Zeus
network and had collected enough evidence
to indict him. However,
they didn't know his real
name and just indicted him under one of his online names, Lucky12345. He was being charged
with conspiracy to participate in racketeering activity, bank fraud, conspiracy to violate the
Computer Fraud and Abuse Act, conspiracy to violate the Identity Theft and Assumption Deterrence Act,
and aggravated identity theft. Slavic was in Russia though, which was safe from the long arm
of the American law. But of course, Slavic had no idea he was indicted and carried right on
selling Zeus to people, supporting the software and using it to rob banks. In November 2012,
someone using Game Over Zeus stole over $6.9 million from a single target.
And if that wasn't enough, they decided to DDoS the bank for the next few days,
which meant the bank was suffering from major network outages.
I mean, I guess might as well, right?
If you control a whole botnet of devices,
why not use it to attack your victims when they're down just so you can make a clean getaway while they deal with the mess?
Jeez, the audacity.
But this $6.9 million heist was the largest known robbery done by the Zeus malware.
We don't know who did it exactly,
whether it was someone who bought it or Slavic himself.
In 2013, there was another attempt to take down the botnet.
This time, attempted by some researchers, a CrowdStrike, a security company.
And they attempted to sinkhole all the domains that were involved with Zeus and coordinated a wide-scale attack on the network.
They successfully sinkholed the domains, but the Zeus botnets continued to stay up,
almost without a hitch. There was a secondary layer of redundancy that the team didn't know about,
and it just fell back onto that and kept on infecting systems and robbing banks.
And when a takedown attempt like this
happens, Slavic is on the other side, trying hard to maintain control of the botnet and keep
everything up. He knew these kind of takedowns would be attempted. It was always seemingly one
step ahead and was ready, which is very impressive. I mean, imagine a major campaign where someone is
trying to completely destroy your network at work.
How many layers of redundancy and backup strategies do you have to fall back onto to maintain a completely functioning service for your customers?
The resiliency here is just amazing.
Slavic called his team the Business Club, which consisted of six members.
Each member had their own specialty.
Some were good at tech
support, others good at creating malicious software, and some were good at recruiting
money mules. Together, the business club thought about other ways that the Zeus botnet could make
money. And that's when it hit them. Ransomware. In October 2013, they decided to add the Crypto
Locker ransomware into the Zeus malware kit. Now, Zeus infects computers and steals passwords, then listens for bank logins.
But when all that's done, it can now encrypt the system and demand payment to unencrypted.
Truly nasty.
The first major time we saw this in action was in November 2013.
A police department in Massachusetts was hit with Zeus and then the ransomware CryptoLocker.
But the business club only demanded $750 to unlock the system.
So the police department paid it.
And that's pretty cheap when we look at how much ransomware demands are today.
By May of 2014, the FBI discovered the real identity of Slavic.
His name was Evgeny Bogachev.
He was in his 20s, living in Annapa, Russia.
They indicted him under his real name and charged him with even more counts of bank fraud and money laundering.
In 2014 and 2015, the U.S. Department of Justice spent an enormous amount of energy trying to take down the Zeus botnet.
Here is the Assistant Attorney General Leslie Caldwell of the U.S. Department of Justice Criminal Division to explain what they did.
So here's what we did.
Beginning in the early morning hours on this past Friday and continuing throughout the weekend,
the FBI and foreign law enforcement began the coordinated seizure of computer servers around the world
that had backbone of both Game Over Zeus and CryptoLocker.
These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, the
Ukraine, and the United Kingdom.
Recognizing that the seizures alone would not be enough because cybercriminals can quickly
establish new servers in other locations, our team began a carefully timed sequence
of technical measures.
These measures were designed to wrest from the criminals the ability to send commands to hundreds of thousands
of infected computers and to direct those computers to contact the server that the court authorized us
to establish. Working from command posts in the United States and at the European Cybercrime
Center in The Hague, the Netherlands, the FBI
and our foreign counterparts, assisted by numerous private sector partners, worked around the clock
to accomplish this redirection and to defeat various defenses built into the malware,
as well as significant countermeasures attempted in real time over the weekend by the cybercriminals
who were trying to keep control over their network.
I'm pleased to report that our actions have caused a major disruption of the Game Over Zeus botnet.
Bob Anderson of the FBI explains the extent of players involved with this takedown.
Game Over Zeus is the most sophisticated botnet the FBI and all of our allies have ever attempted to disrupt. In fact, this is the largest fusion
of law enforcement and industry partner and cooperation ever undertaken in support of an
FBI cyber operation. Today's actions are part of an operation called Clean Slate. The FBI's
Pittsburgh, Omaha, and Washington field offices have led the Game Over Zeus investigation
with the assistance of our legal attachés' offices in Canada and in Germany.
Participants in the Game Over Zeus operation include law enforcement from the Ukraine,
the United Kingdom, Japan, France, the Netherlands, and Canada,
as well as our European Cybercrime Center.
Among the many private sector partners who assisted by helping victims remediate the damage to their computers
infected by the game of Resus Botnet are as follows. CrowdStrike, Newstar, Symantec, McAfee, F-Secure, AbuseCH, Affilius, Level 3 Communications, and ShadowServer.
The U.S. Deputy Attorney General James Cole had some additional comments.
Today we're here to announce that over the weekend, the department disrupted two extremely damaging cyber threats. We have also identified
and charged one of the leaders of the Eastern European criminal cyber gang that is responsible
for these schemes. Evgeny Bogachev, a Russian national, has been indicted in Pittsburgh,
Pennsylvania for his role as an administrator of the Game Over Zeus botnet. Bogachev, a true 21st century criminal who commits cyber crimes across the globe
with the stroke of a key and the click of a mouse,
is also charged in a newly unsealed criminal complaint in Omaha, Nebraska
for orchestrating a related botnet scheme.
These crimes have earned Bogachev a place on the list of the world's most wanted cyber criminals.
A place on the FBI's cyber's most wanted list. Let's see. Yep, there he is. His face is right there on the front of a big, bold, wanted poster with some identifying details like his birthday,
eye color, weight, and aliases. But there's something about this wanted poster
that's different than all the others on the FBI's Cyber's Most Wanted list.
This one has a $3 million reward tacked onto it.
This is the largest reward offered by the FBI for a wanted hacker.
Hmm.
While the FBI put him on the Most Wanted list in 2015, Slavic still hasn't been caught.
He's presumably still in Russia. And the FBI has tried to work with Russia to get custody of him,
but despite their efforts, they have not been able to bring him to justice.
In total, it's estimated that the Zeus botnet infected 500,000 to 1 million computers worldwide.
And 25% of those computers were in the U.S.
The FBI reported they estimated that the U.S. victims lost over $100 million from fraudulent bank transfers alone.
And another $27 million was collected from ransomware payments.
That's a lot of money.
And what's surprising about this malware is,
while it's used to rob banks,
it didn't attack the bank directly.
It attacked the customers of the banks,
stealing money from users' accounts,
which is a lot smaller payouts
versus stealing money directly from the bank.
But when you can get your malware spread
on a large scale like Game Over Zeus did,
a bunch of smaller payouts add up to be quite a lot, making this one of the most sophisticated and lucrative pieces of malware ever.
This show is made by me, the FBI's least wanted, Jack Recider.
This episode was written by the crime traveler, Fiona Guy.
Sound design by the splendid Andrew Merriweather.
And editing helped this episode by the wide-eyed Damien.
Our associate producer, just back from his trip to a cyber soiree, is Ray Redacted.
Our theme music is by the steel-toed Breakmaster Cylinder.
When I was a kid, my grandpa used to tell me to get a job cleaning windows.
So I did. But I was also pretty good at cleaning Macs and Linux machines too.
This is Darknet Diaries.