The Proliferation of Banking Malware: A Darknet Diaries Synopsis

1 chained technology

Wells Fargo first introduced online banking in 1995. The service quickly proliferated and started to become the norm. The financial services industry has always been heavily targeted by individuals looking to steal cash, and the rise of the internet has only exacerbated the volume, frequency, and scale of these thefts. The prevalence of convenient online and mobile banking services has opened financial institutions and their customers to a host of new risks by providing criminals with a litany of new attack strategies.

Once online banking was introduced, it didn’t take long for hackers to begin capitalizing on internet security vulnerabilities to steal bank account details and complete fraudulent transfers. And as in any criminal field, as digital banking fraud developed, standouts began to emerge. One of these was a Russian hacker who went primarily by the online pseudonym Slavik.

Slavik was a young and ambitious hacker with remarkable business acumen. He developed a new type of malware, known as WSNPoem, that infected machines through attack methods such as spam emails. Upon gaining access, WSNPoem would search the machines on which it was installed to find login credentials to personal and commercial online banking accounts. The program would then report those credentials back to the malware operator, who could then use the login information to steal from those accounts.

Over time, Slavik developed his malware and it evolved. WSNPoem became PRG, then PRG Trojan. Each new version of Slavik’s banking malware was more advanced and more effective than the last. PRG Trojan was found to have stolen data from 46,000 different victims. This data was not only used to steal from the victims’ bank accounts; it was also sold to other cybercriminals so they could do the same. The hackers who deployed this program stole hundreds of thousands of dollars from commercial bank accounts across various countries within a year of its initial deployment.

Trojan sought out and copied all the credentials on the machines it was installed on, then remained latent on the devices until their users logged into their online banking accounts. The program would immediately notify the hacker, who could then join the session with the user and transfer money out of the user’s account to their own. The money would appear to have been transferred by the account holder from their home device so there was often a delay before the fraud was noticed.

PRG Trojan was further developed and expanded to the point that it warranted another name change. This time, Slavik’s online banking malware was called Zeus Bot, called Zeus or Zbot for short. Zbot distinguished itself from its predecessors by posing a dual threat. First, it would steal online banking credentials and siphon money out of users’ accounts. Then, it would convert into spyware and join a botnet of other infected computers.

A botnet is a group of computers infected with the same malware that are controlled as a group by a remote entity for greater computing power. This is done without the knowledge of the device’s owners. Cybercriminals use botnets to execute cyber attacks. Zeus was a highly effective piece of malware that provided Slavik with an enormous network of bots under his control.

After honing Zeus into the premier piece of banking malware and amassing his botnet, Slavik began diversifying his illicit revenue streams. He turned Zeus into a crimeware kit that could be sold to other cybercriminals. He created an easy-to-use interface that didn’t require substantial hacking skills. For a fee, Slavik’s customers could use Zeus. For an additional fee, they could receive continued support from Slavik and leverage his botnet. Thus, Slavik had turned Zeus into Malware-as-a-Service (MaaS).

Large phishing groups started including Zeus in their phishing emails for a two-pronged attack approach. The Zeus crimeware kit expanded to include Zeus Builder. This program allowed its operators to dictate what actions they wanted the bot to perform after collecting all of the passwords. Its ease of use and reliability was a key reason why Zeus became so popular and swallowed up other similar malware programs. It was even able to carry out man-in-the-browser attacks, altering the HTML code of websites such as banking log-ins to add new fields requesting further sensitive information, such as social security numbers and debit PINs.

Slavik's Zeus attacks started to escalate. Banks, schools, municipal government agencies, and other similar organizations had substantial sums of money disappear but without any trace indicating how their accounts had been breached. FBI investigators were stumped. The transactions all appeared to come from the account holders' typical browser and IP. Even banks with multi-factor authentication and additional layers of security were falling victim. Slavik was achieving immense success with Zeus and selling it to thousands of other cyberthieves.

People began trying to re-sell Zeus; Slavik felt he was being cheated and adjusted his approach. He partnered with a phishing group known as Avalanche to create JabberZeus. JabberZeus offered a variety of new modules for an additional cost, including the backconnect module, which allowed hackers to redirect any traces of their account transfers back to the infected computers. It also featured a messaging app that gave hackers real-time updates on the banking actions performed on infected devices.

JabberZeus even offered a virtual networking computer module to grant hackers absolute control over the infected machine using an active virtual connection. This allowed them to completely hide their footsteps by funneling all traffic through the infected device.

JabberZeus enabled cyberthieves to siphon immense amounts of money, add fake employees to payrolls, and access highly sensitive information on a mass scale. The group behind JabberZeus increased their efforts, drawing greater attention from the FBI and other agencies. An extensive, internationally cooperative effort to find Slavik and shut down JabberZeus commenced. After years of investigation, Slavik was found out and unmasked. The FBI indicted him, but due to US-Russian relations, he has not been extradited to date.

Today, Slavik (whose real name is Evgeniy Bogachev) is on the FBI’s Cyber’s Most Wanted list with a 3 million dollar reward promised to anyone who can hand him to the FBI. This is the largest reward the FBI has ever offered for any wanted hacker. We’ll see if that reward is ever paid out. In the meantime, the man who was responsible for proliferating Malware-as-a-Service, infecting between 500,000 and 1,000,000 computers worldwide with the Zeus botnet, and causing an estimated $127,000,000+ in losses for his US victims alone, walks free.

Cybercriminals are always advancing their programs and expanding their attacks. The financial industry faces an ever-growing list of threats. Banks and financial services firms must take extraordinary steps to protect their interests and their customers’ well-being. To speak with one of CyberTeam’s cybersecurity experts about how to protect your business, contact us today to schedule a consultation.

Let's Talk