DOJ takes action against Dridex malware group, Evil Corp
The U.S. Justice Department indicts two alleged members of the Russian threat group behind the Dridex banking Trojan, known as Evil Corp, and offers a $5 million bounty.
The U.S. and the U.K. announced criminal charges and sanctions against alleged members of the Russian threat group Evil Corp, which is responsible for the Dridex malware.
The U.S. Department of Justice indicted Maksim Yakubets, 32, of Russia on counts of computer hacking and bank fraud. The State Department offered up to $5 million for information leading to the arrest and/or conviction of Yakubets, who is the alleged leader of Evil Corp. Additionally, the DOJ indicted Igor Turashev, 38, in relation to the Dridex banking Trojan.
The Department of Treasury announced sanctions against Evil Corp, which has been active since 2009 and has been connected to the Zeus, Bugat and Dridex malware. According to the Treasury Department announcement, "Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft."
Assistant Attorney General Brian Benczkowski of the Justice Department's criminal division noted in the DOJ press release that the U.K. National Crime Agency (NCA) was "crucial" in efforts to identify Yakubets and other members of Evil Corp.
The DOJ unsealed two indictments -- one filed on Nov. 12 in the Western District of Pennsylvania and one filed Nov. 14 in the District of Nebraska. The former indictment named both Yakubets and Turashev in multiple fraud attempts using Dridex malware beginning in Nov. 2011, including an attempted transfer of $999,000 from the Sharon City School District and an attempt to transfer nearly $2.2 million from Penneco Oil. In total, the indictment filed in Pennsylvania included 10 charges of conspiracy, fraud and intentional damage to a computer.
The indictment filed in Nebraska only named Yakubets and listed 21 businesses and local government offices targeted across the country, nine of which were financial institutions, and covered incidents dating back to 2009.
According to the DOJ, Yakubets went by the handle "aqua" online. A case from the District of Nebraska charged a John Doe "also known as 'aqua'" and resulted in the extradition of two Ukrainian nationals from the U.K. to the U.S. in 2014. Those Ukrainians had previously been convicted in the U.K of laundering money for Evil Corp.
The Treasury Department said that its sanctions target "17 individuals and seven entities to include Evil Corp, its core cyber operators, multiple businesses associated with a group member, and financial facilitators utilized by the group." The announcement went on to name Denis Gusev as a senior member of Evil Corp, as well as entities owned or controlled by Gusev, six other members of the group and eight known financial facilitators.
Previous attempts
These actions are not the first taken against Dridex malware threat actors. In October 2015, the DOJ indicted Andrey Ghinkul in connection with spreading the malware. Ghinkul was arrested in August 2015 in Cyprus and extradited to the U.S. in February 2016.
At the time, Brad Duncan, security researcher at Rackspace, noted that Dridex incidents had disappeared in September following Ghinkul's arrest, but new instances of the malware began appearing again before the DOJ announced the indictment.
In October 2015, both the FBI and NCA set up sinkholes in efforts to stop the malware from connecting to command and control servers. But by January 2016, IBM security researchers confirmed a new version of Dridex malware was targeting banks in the U.K.
Earlier this year, Chronicle released the results of a five-year study into crimeware, which included looking at arrests made in connection with Zeus and Dridex malware, and found that law enforcement takedown attempts had only short-lived impacts if the masterminds behind such crimeware were not apprehended.