I enjoy all manner of spy entertainment – books, movies, documentaries, whatever, the notion of spies has always captivated me.
Most of the materials, especially the fictional ones, spin wild yarns highlighted by incredible evildoers and complex backstories. Yet, contrastingly, the bad operators are often identified with rather simple, even silly names.
Think of the James Bond series. The cast of villains reads like a strange nursery tale: Dr. No, Goldfinger, Elektra, Mr. Big, Mr. White, and so on.
As we read or watch these tales, the names are often symbolic of the character – perhaps a personal flaw or some association with the antagonist’s endeavors. Nonetheless, the names seem overtly fake or contrived.
Often fiction becomes reality, especially in the cyberworld.
This week, the US Department of Justice brought charges against a Russian citizen. The charges include computer hacking and various fraud charges, totaling ten indictments.
The supposed Russian hacker, Maksim Yakubets, is reported to be the leader of Evil Corp.
What? Wait.
You read that correctly, Evil Corp. Those of you who are fans of Mr. Robot will likely recall the name.
Evil Corp is a Russia-based cybercrime organization that is well-known for the development of the malware Dridex. Dridex is a sophisticated application, designed with the intent of automating the theft of online banking credentials from computers infected by the malware.
Dridex spreads in a common fashion, via email. The phishing messages dupe readers into clicking a link or opening an attachment. The action launches the installation of Dridex, infecting the computer. The malware harvests user credentials for financial institutions and transfers funds from the victims’ accounts to accounts controlled by Evil Corp.
Some estimates suggest that Evil Corp, through its Dridex malware, has infected countless computers in 40 countries, accessing accounts held in over 300 banks. The US Treasury and Department of Justice estimate that Evil Corp has stolen at least $100 million over the past four years.
Evil Corp functioned as a business. Daily operations were overseen by Maksim Yakubets from Moscow. Yakubets managed the group’s cyber-activities through a network of experienced, trusted cybercriminals.
Some of the associates of Evil Corp are affiliated with other significant malware, including: Zeus, Jabber.
The criminal complaint against Yakubets is accompanied by a $5 million reward for information leading to his capture.
Additional information reveals that Yakubets also provided assistance to the Russian government. Russian intelligence agencies may have sought material assistance from Yakubets in the form of collection of confidential documents.
In addition to the charges against Yakubets, sixteen other Russian individuals were charged. They assisted in the maintenance of the malware software, identification of victims, and laundering of the stolen funds – all appear to be members of Evil Corp.
The indictment references Bugat as the original name of the malware; apparently the group worked on multiple iterations of the malware, and, changed the name along the way.
So, how did the US government identify the group and its leaders?
It all started with a name, or, more specifically, a handle.
Yakubets was known as “aqua” among his peer networks.
In chat transcripts related to the Zeus operations, “aqua” references appeared. The transcripts suggested that “aqua” managed various operations and facilitated bank transfers. Some online resources suggest the Russian government offered slight assistance in identifying Yakubets as well; however, those seem to contradict his alleged assistance with Russian intelligence efforts.
In addition to operating a massive malware operation, the Evil Corp facilitated franchises of their operation.
The court documents reveal that Yakubets provided a UK resident with access to Bugat malware for $100,000 up front, plus 50 percent of all revenues, with a minimum weekly guarantee of $50,000 for Yakubets. The arrangement also included technical support for the malware and transfer of stolen funds.
Given that some estimates indicate that Evil Corp operated for nearly a decade, stealing hundreds of millions of dollars from individuals and banks across the globe, one can’t help but wonder how did the collection of savvy hackers persist for so long.
Adaptation was the core of their lengthy success.
Over many years, Evil Corp changed their tactics from a centralized control design to an ad-hoc effort. In doing so, they forged a trail that was challenging to follow due to its seemingly disparate connections. Additionally, they altered the malware to accommodate changes in detection mechanisms, improved the phishing messages and converted from wire transfers to cryptocurrency for ferrying of the stolen monies.
A collection of online photos show Yakubets with supercars and other lavish items. Many wonder if the $5 million reward and US indictments will do anything to remove him from Russia and the comfort that tens of millions of dollars affords.
Unlike the common spy movies and characters that I mentioned earlier, there is little honor among cybercriminals. In particular, most notorious hackers relish anonymity and secrecy. Having one’s face displayed on wanted posters and highlighting major news outlets doesn’t foster a cloak and dagger lifestyle.
And, the promise of $5 million will definitely test the strength of perceived friendships among those who seem motivated by money. For now, I suppose we’ll have to wait and see if the spotlight shines on Evil Corp sufficiently to flush out the supposed evildoers.
In the meantime, watch what you click – you never know when a villain from a multinational cybercriminal organization is looking to take your hard-earned money.
Be safe and watch out for Dr. Phish.
Fabella Security 
You must be logged in to post a comment.