LAS VEGAS – BLACK HAT USA 2015 – The cybercriminal ring behind the GameOver Zeus malware stole an estimated $100 million from banks, but one of the group’s leaders also leveraged the botnet for cyber espionage.
The activities of the GameOver Zeus gang were analyzed for several years by the FBI and security firms Fox-IT and Crowdstrike. Representatives of these organizations revealed on Wednesday at the Black Hat conference in Las Vegas some new details on the activities and inner workings of the cybercrime group behind the notorious malware.
The Zeus malware was created in around 2005-2006 allegedly by a Russian national named Evgeniy Mikhailovich Bogachev, also known as “Slavik.” The GameOver Zeus variant, also known as P2P-ZeuS, emerged in September 2011 and it was successfully used by cybercriminals until May 2014 when its infrastructure was taken down as part of a joint operation between law enforcement and various private companies.
The GameOver Zeus group, known internally as the “Business Club,” had more than 50 members, including individuals responsible for the actual fraud, money mules and their recruiters, and a technical support team. The core team consisted of two leaders, one of which was Slavik, a support crew, and some prefered suppliers.
The P2P Zeus used one coherent network, but there were a total of 27 botnets, each with its own backend instance managed by a different person or group, researchers said. The P2P infrastructure allowed the criminals to operate with only minor interruptions for nearly three years. Experts determined that GameOver Zeus had roughly 200,000 active infections at any given time.
GameOver Zeus botnets were mainly used for fraud. Experts estimate that the cybercriminal group stole 20 to 30 terabytes of data and $100 million, mostly as a result of corporate banking account takeovers. The gang also made a lot of money after in 2013 it started using the CryptoLocker ransomware to extort money from users and organizations whose valuable files had been encrypted by the malware.
However, researchers discovered that some of the GameOver Zeus botnets were also used for cyber espionage against countries that present an interest to Russia, particularly Georgia, Turkey and Ukraine. These botnets had been used, presumably by Slavek, to perform search queries on infected systems.
The searches targeted various keywords, including contact information and “government classified” material.
“One instance focused on Georgia and Turkey, the botnets contained a number of commands issued to specifically these countries, with queries which were very detailed, including searches for documents with certain levels of government secret classifications, and for specific government intelligence agency employees, and information about politically sensitive issues in that region,” Fox-IT noted in a report on the GameOver Zeus gang. “Additionally, some of the activity revolved around information from OPEC members, a clear sign that the information gathering was not purely politically motivated but also quite likely economically.”
“After the recent political changes in Ukraine, which led to a more pro-western government, one botnet which had been previously used for banking fraud, was then used for a large amount of infections in Ukraine to search for certain types of politically sensitive information,” reads the report.
When they shut down the botnet, authorities in the United States also announced that Bogachev had been charged with conspiracy, computer hacking, wire fraud, bank fraud and money laundering. In February, the State Department offered a $3 million reward for information leading to his arrest.
Experts believe Slavik might have used the GameOver Zeus botnet to conduct cyber espionage operations for Russia, which might explain why he hasn’t been caught yet.
“We could speculate that due to this part of his work he had obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia. This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended,” Fox-IT said.