Zeus OTP Malware Trail Leads to Russian Cyberwarfare

Have you ever pulled a thread on a piece of clothing, which loosened another thread, that then loosened yet another thread?  It felt a bit like that when I started reading up on the arrest of Vyacheslav Penchukov (pictured right), a 40-year-old Ukrainian who is alleged to be the leader of the ‘JabberZeus’ cybercrime group.  Multiple media sources had reported his recent arrest in Switzerland, but as I read, the threads led beyond cybercrime to state sponsorship and espionage.

Longer-standing mobile fraud staff will probably remember the problems caused by Zeus malware.  It was used to target online banking and impacted the mobile industry because, in addition to the malware, fraudsters were also using SIM swaps to intercept the one time passwords (OTP) that banks sent by SMS.  Mobile operators first started to see the evidence of Zeus in late 2010; in UK and Netherlands the victims were targeted for SIM swaps but in Portugal and Turkey, the fraudsters were deploying new Zitmo (Zeus in the mobile) malware.  Zitmo automatically forwarded the SMS OTP to a mobile number defined by the fraudster, removing the need for a SIM swap.

What we knew at the time

Europeans saw well-engineered attacks on the banks’ authentication processes from 2010. These particularly targeted customers of ING Bank and Santander. Zeus malware was used to harvest internet banking credentials from a victim’s personal computer. When a user logged on to an infected computer the malware would open a new window asking for the details of the victim’s mobile phone type and number. Customers were sent a WAP (Wireless Access Protocol) link which downloaded tailored Zitmo mobile malware in a so-called ‘security upgrade’.  The malware prevented the bank’s SMS OTP from being displayed in the inbox and would forward it to the fraudster without the customer’s knowledge. The following screenshot shows the malware being used to attack an ING customer.

Having set up the communication chain, the attackers logged into the bank account using the victim’s credentials and set up a payment to themselves.  The bank sent a one-time password by SMS to the victim’s phone, which was forwarded by the malware, and the attackers entered it via the web browser to authenticate the transaction.

This was the fraud sequence as we understood it:

  1. Zeus gang infects victim PC with Zeus malware and captures user banking ID and password
  2. Zeus malware asks victim for mobile details and sends link telling him/her to install ‘security software’
  3. Victim uses link to install Zitmo on his/her mobile
  4. Zeus gang logs into victim’s bank account and creates a cash transfer
  5. Bank sends SMS OTP to customer mobile to validate transaction
  6. Zitmo software a) hides SMS OTP on the victim’s mobile and b) forwards the SMS OTP to Zeus gang
  7. Zeus gang inputs SMS OTP to validate transaction
  8. Bank validates the SMS OTP and releases the cash transfer

The following illustration also shows the sequence of events involved in this crime

Reverse engineering of the mobile malware identified a number of UK mobile numbers to which the SMS OTP messages had been forwarded.  This didn’t turn out to be particularly helpful as the numbers were traced to the island of Guernsey, where the network operator confirmed that the target numbers were part of a service to route inbound traffic over the internet via SMPP to the end user.  The Turkish Cyber Crime Unit conducted raids in Istanbul, Kocaeli and Izmir and made 36 arrests, but this was the only notable law enforcement action we identified.

Countermeasures

The mobile industry collaborated on a number of initiatives to help protect customers.  To counter SIM swap, operators introduced stronger customer authentication processes and sent the original SIM an SMS notification of the SIM swap request.  Some operators would only connect new SIMs which had been sent to the customer’s home address, but this couldn’t be applied in all markets as some homes don’t have addresses or delivery services. Additionally, there were filters or delays in place for SMS OTPs immediately following a change of SIM.  For Zitmo, operators denied access for the mobile malware download and, in some cases, captured a customer opt-in to delay all mobile originating SMS for a timeout period (10 minutes) once an SMS OTP had been sent.  This meant that SMS OTPs would be invalid when the mobile malware was able to forward them.

Zeus malware reports gradually subsided; we didn’t know why it had gone away but we focused on the next big issues and didn’t really give this crime much further attention.  However, there was so much more to the Zeus story than we realised.

The story of Zeus

The following information was culled from multiple sources, but the majority derives from articles published by Wired and by consistently impressive security journalist Brian Krebs. Links are provided at the end of this section.

Zeus first appeared in 2006, created by an unknown author, known online as Slavik or lucky12345.  Unlike many malware authors, Slavik had a professional approach and regularly updated the Zeus code, which was adaptable and could produce variants optimised for different kinds of attacks and targets.

Slavik’s interests evolved over time and he began to recruit a trusted group of online criminals, providing them with a malware variant called Jabber Zeus. This included a Jabber instant-message plug-in, allowing the group to communicate and coordinate attacks.  The group began to specifically target corporate accountants and people with access to financial systems.  The Federal Bureau of Investigation (FBI) in the USA started to investigate following attacks on First Data, which lost USD450,000 in May 2009, and a USD100,000 theft from First National Bank of Omaha. It was noted that the thefts had been made using the victims’ own IP addresses, logins and passwords. Examining their computers identified the same Zeus malware.

The FBI’s first breakthrough came in September 2009, when, with industry assistance, they identified a server in New York which appeared to form part of the Zeus infrastructure.  Examination revealed this was the organisation’s Jabber server, containing tens of thousands of instant messages including details of victims and their stolen credentials.  Later that year, three young women from Kazakhstan walked into the FBI field office in New York.  They’d come to the US to look for work but found themselves participating in a curious scheme.  They would be driven to a local bank where they would open a new account, explaining they were students visiting for the Summer. A few days later, they would be driven to the bank again to withdraw all the money in the account.  They kept a small cut and passed the rest on to the driver.  These were the organisation’s first identified ‘money mules’ and it seems likely that the same approach was used to move money later defrauded from Zitmo victims.

Once inside a victim company’s bank accounts, the fraudsters would modify the firm’s payroll to add dozens of money mules, who were often people recruited to work from home. The mules would transfer the payroll deposits overseas, minus the commission they each deducted. US investigators soon traced similar mule routes in Romania, the Czech Republic, the United Kingdom, Ukraine, and Russia.

The FBI and the Justice Department had zeroed in on an area in eastern Ukraine around the city of Donetsk, where several of the Jabber Zeus leaders seemed to live. They included Ivan Viktorvich Klepikov, aka “petr0vich” (pictured left) who ran the group’s IT and Vyacheslav Igorevich Penchukov, a well-known local DJ nicknamed “Tank”. Penchukov was said to manage the whole scheme, as second in command to Slavik.  By Autumn 2010, the FBI was ready to take down the network. Agents from the FBI and from Ukraine’s security service raided the homes of Tank and petr0­vich. There were 39 arrests in four different countries, which was seemingly enough to disrupt the network. However, the key players evaded capture, and Slavik still hadn’t been identified.

Detailed accounts of this portion of Zeus’ history are available from Wired and KrebsonSecurity.

Finding Tank

In the old, corrupt Ukraine, Vyacheslav Igorevich Penchukov was a well-connected man. The godfather to Penchukov’s daughter was Victor Yanukovych Jr., son of former President Victor Yanukovych. Through his connections to the Yanukovych family, Penchukov had access to the top tiers of Ukrainian government, including law enforcement.  It is alleged that he was tipped off about the raids, giving him time to destroy evidence and escape before his home was searched.

Unsurprisingly, former President Yanukovych has his own telecoms fraud connection.  In 2017, Pravda Ukraine reported that:

The General Prosecutor’s Office has opened another case against ex-president Viktor Yanukovych on suspicion of financing the establishment of a special communication system based on the private company Ukrtelecom

It seems Yanukovych had somehow forgotten that Ukrtelecom had been privatised and, together with the Prime Minister, Head of State Intelligence Service, and a Ukrtelecom board member, they had used public money to finance a ‘special communications network’ between October 2010 and July 2013.

Krebs wrote about a 2014 blog from Gary Warner, Director of Research in Computer Forensics at the University of Alabama, who identified a 2009 JabberZeus chat on during which Tank reported the birth of his daughter, Miloslava, and noted her birth weight.  According to Warner:

A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day

This information positively identified Penchukov as Tank.

Penchukov was finally arrested in Geneva on 23 October of this year. After the completion of formal extradition procedures, the Swiss Federal Office of Justice granted his extradition to the USA on 15 November. However, that decision may be appealed at the Swiss Supreme Court.

Slavik remains mysterious

Whilst Penchukov was identified from the JabberZeus chat, Slavik remained an enigma.  Slavik went quiet for a period following the FBI raids but then re-emerged with a more dangerous version of the malware called GameOver Zeus, which was more resilient and resistant to remote takedown.  Infected machines kept a constantly updated list of other infected machines and if the connection to the command server was interrupted, they each could rely on the peer-to-peer network to find a new command server.  In addition to the new variant, Slavik had a new team, known as the Business Club.

Once the GameOver Zeus malware stole a user’s banking credentials, the Business Club would empty the account, transferring its funds to accounts they controlled overseas. Then the powerful botnet hit the bank with a denial-of-service attack to distract bank employees and conceal the theft until the stolen funds had cleared. On November 6, 2012, the GameOver network stole USD6.9mn in a single transaction!

Then, in October 2013, Slavik’s group began deploying CryptoLocker, a form of ransomware that would encrypt the files upon an infected machine and force its owner to pay a fee to unlock the files. It has been suggested that there was a valid commercial reason behind this development, as only a few botnet computers connected to fat corporate accounts, the remaining tens of thousands of mostly idle machines could be monetized spreading CryptoLocker.

From 2011 through 2013, cybersecurity researchers and various firms mounted attempts to take down GameOver Zeus.  In January 2013, the plan was to reroute GameOver’s peer-to-peer network to a new server, a process known as ‘sinkholing’. Everything went well at first. During the peak of their attack, the security researchers controlled 99 percent of Slavik’s network.  But a small subset of infected computers were still secretly communicating with Slavik’s command servers via a second layer of control and Slavik was eventually able to push a software update to his whole network and re-establish control.  Slavik repelled each attack, learning what investigators knew about his network, and helping him to evolve his tactics.

The game changer

In 2014, the FBI partnered with security researchers to take down Slavik’s botnet.  They had three key objectives.

  • Identify the perpetrators and evidence which proved their crimes
  • Disable Gameover’s digital infrastructure
  • Disable the physical infrastructure using court orders to seize servers across the globe

The initial partnership grew to include law enforcement in UK, Switzerland, Ukraine and a dozen other countries, plus industry experts at Microsoft, Crowdstrike, McAfee and others.  One of the first actions was to use cyber-forensics experts to trace old usernames and email addresses in order to identify Slavik and members of the Business Club.

The first breakthrough came from an email address linked to a British server that Slavik used to run the Business Club’s websites. More investigation and further court orders finally led to Russian social media sites where the email address was connected to a real name: Evgeniy Mikhailovich Bogachev. After several weeks of further work it became clear that this was the man who invented Zeus and created the Business Club.  Slavik/Bogachev was a 30 year old who lived an upper-middle-class existence in a Russian resort city with his wife and young daughter. He had been just 22 years old when he wrote the first version of Zeus.

The most stunning revelation from the cyber-forensic team was that searches had been carried out on the tens of thousands of zombie computers in the botnet, including:

  • email addresses for Georgian intelligence officers
  • leaders of elite Turkish police units
  • classified Ukrainian documents
  • classified ­material linked to the Syrian conflict
  • intelligence on Russian arms dealing

GameOver Zeus was being used as a tool for espionage.  In March 2014, as Russian forces seized the Ukrainian region of Crimea, a section of the botnet began to search for politically sensitive information on infected Ukrainian computers. Slavik’s network was trawling for intelligence that might help the Russian invasion.  This would explain how Bogachev had been able to operate a major criminal enterprise without state interference.  It was suggested that at some point Bogachev appeared on the radar of the Russian security services and made a deal which allowed him to continue his line of business in exchange for intelligence gathering.  Consequently, Bogachev’s intelligence connections meant it was unrealistic to engage Russian authorities in taking down GameOver.

The takedown began on 30 May 2014, when Canadian and Ukrainian authorities shut down GameOver’s command servers and zombie computers were redirected to a sinkhole.  Once the software was debugged, the numbers in the sinkhole began to climb; then the team knocked out Bogachev’s Turkish proxy server.  After hours of battling, Bogachev went silent. The game was over.  On 2 June, the FBI and Department of Justice announced the takedown had been successful, and they unsealed a 14-count indictment against Bogachev.  He is on the FBI’s most wanted list and there is a USD3mn reward for information leading to his arrest.

Takeaways

I share this story about Zeus and the people behind it because those who fail to learn from history are doomed to repeat it… and you cannot learn from history if nobody shares it with you.  Fraud managers need to be aware of the extent of the Zeus impacts in order to appreciate how much damage can be done by a comparatively small group.

Takeaway 1: Every contact leaves a trace

Edmond Locard, one of the fathers of forensic science, said:

It is impossible for a criminal to act, especially considering the intensity of a crime, without leaving traces of this presence.

I’ve shared a condensed version of this with many fraud colleagues: ‘every contact leaves a trace’.  I wish it was always true, but if you keep looking for those contacts then you will usually prove the principle.  In the Zeus example, Tank was identified from Jabber messages and his social media account. Slavik was unmasked by an email account.  Fraudsters must communicate with victims and with each other, and that will leave a trace.

Takeaway 2: Collaboration and sharing

The other significant element which brought down Zeus was collaboration.  Neither industry nor law enforcement was able to tackle Zeus alone.  We are risk managers, and if we get the chance to collaborate on an investigation, then we should.

If you do not do it already, consider proactively sharing fraud information (within any legal constraints). Supplying your intelligence costs nothing and creates trust and goodwill which will benefit you in the longer term.  Many years ago in UK, before there was a national industry body, we started sharing our suspected fraud cases with other UK telcos.  Their first reaction was, “why have you sent me this?” Later they asked “what do you want?”  We only wanted them to respond with any related frauds, but there was no obligation.  Initially, responses took up to a month, but before long they were being returned in 30 minutes. We incorporated that additional information and re-issued the fraud alert.  It was simple, inexpensive, and it saved hundreds of thousands for us and the other telcos. More importantly, it established trust and encouraged discussion and co-operation on other issues.

Europol has just announced that authorities in Europe, Australia, the US, Ukraine, and Canada have made 142 arrests and taken down a spoofing website that allowed fraudsters to impersonate trusted corporations or contacts.  Worldwide losses related to this website are believed to be in excess of USD100mn.  The case was opened at Eurojust in October 2021 at the request of the UK authorities, the main administrator of the website was arrested in the UK on 6 November 2022 and the website and server was seized and taken offline by US and Ukrainian authorities two days later.  Collaboration works, but it takes time: the sooner you start, the sooner you get the benefit.

And on the subject of sharing, overseas telcos pursuing civil actions should be aware that recent rule changes now allow claimants full access to key English law mechanisms to discover the identity of defendants and location of assets, even where the wrongdoers and third parties are not based in England.

Takeaway 3: State-sponsored fraud

It can be difficult to convince board members that espionage is a real threat in telecoms, so it may help that Dark Reading recently reported that Chinese advanced persistent threat group ‘Billbug’ managed to compromise a digital certificate authority. According to Symantec:

The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines

How many espionage assets are more valuable than a telco?

Slavik’s link to Russian intelligence is another useful illustration that criminals sheltering in Russia, China and North Korea are paying their way by also serving the state.  Does your telco’s board think that aggressive military and intelligence services have not worked out that they can boost their budgets by using foreign fraud victims to pay for their espionage activities?  I doubt those fraud revenue streams are strictly audited, so I have no doubt that people at the top of the chain will be putting a little away for themselves, which only helps to reinforce the behaviour. Cybercrime and espionage are natural bedfellows, and telcos will always offer a prime target for both.

David Morrow
David Morrow

Dave has 35 years of law enforcement, investigation and fraud management experience including multiple international assignments. He is a recognised telecoms fraud expert and for a number of years chaired the GSMA workgroup responsible for Security & Fraud Risk Assessments.

Dave now provides fraud management support as an independent consultant.

Related Articles

Get Our Weekly Newsletter by Email