CALL US: 216-397-4080  | CLIENT HELP DESK: 216-539-3686

$5m bounty set on the alleged head of Evil Corp banking Trojan group

$5m bounty set on the alleged head of Evil Corp banking Trojan group

Some people are so rude. They hold up traffic in their garish Lamborghinis; they inflict epilepsy-threatening laser shows on their wedding guests; they remove adorable lion cubs from their mothers just to film them on their oriental carpets…
…and they allegedly run Evil Corp (a.k.a TA505) – the threat group behind the ZeuS and Dridex Trojans that have siphoned tens of millions out of banks (and their customers’ accounts) for over a decade.
If you can pry him out of his Lamborghinis – and Russia – you might be able to claim a $5 million bounty on the head of Maksim “Aqua” Yakubets. Yakubets, 32, of Moscow, was indicted in the US on December 5th 2019.

The UK’s National Crime Agency (NCA) released photos and video showing the lavish lifestyle of Yakubets and his alleged cronies. One of them was also indicted: Igor Turashev, 38, from Yoshkar-Ola, Russia, for his alleged role in the “Bugat” malware conspiracy – another name for Dridex – also known as Cridex.
For its part, the NCA has been working on the group’s core malware strains – Dridex – since 2014. The NCA says that unraveling Dridex has involved “unprecedented” cooperation between itself, the FBI and the National Cyber Security Center.

The NCA calls Evil Corp “the world’s most harmful cybercrime group,” responsible for deploying malware causing financial losses worth hundreds of millions of pounds in the UK alone. On Thursday, the US State Department, in partnership with the FBI, announced a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets.
It’s the largest ever bounty for a cybercriminal to date, the Justice Department (DOJ) said.


A federal grand jury in Pittsburgh returned a 10-count indictment against Yakubets and Turashev, charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of Bugat/Dridex. Peter Mackenzie, Sophos’s Global Malware Escalations Manager, calls Dridex “the most advanced banking Trojan in the world”. It has strong links to BitPaymer ransomware attacks and is normally deployed via Emotet – a malware that’s designed to evade detection and multiply.

It’s a banking Trojan that injects code into the network stack of infected Windows computers, inserts itself into software modules that can then steal address book data and perform denial of service (DoS) attacks on other systems, and serves up a host of other Trojans. Peter believes Emotet’s raison d’être is to cluster-bomb endpoints with as many Trojans as possible in the hopes that a few will hide away for years undetected, then wait “for that unlucky victim to step on them.” The sum of all that nastiness = an incredible amount of time and hard work spent fighting Dridex, Peter says.

Dridex has NOT dried up

Unfortunately, court indictments aren’t going to mop up Dridex anytime soon. The US Department of Homeland Security (DHS) warned that Dridex malware attacks targeting private-sector financial firms through phishing campaigns are still going strong. According to the Cybersecurity and Infrastructure Security Agency (CISA), via the US National Cyber Awareness System, the phishing emails are using a combination of legitimate business names and domains, professional terminology, and urgent language that tries to get its targets to click on attachments.

CISA has a long list of mitigations that organizations can take to reduce risks, as well as tips on how security admins can configure their organizations’ defenses to detect Dridex and avoid potential attacks.

One last photo of Yakubets

The NCA says that Yakubets allegedly employed dozens of people to run Evil Corp’s operation from the basements of Moscow cafes. One previous arrest proved to be barely a bump in the road: in 2015, the NCA and FBI took down the Dridex botnet and arrested Andrey Ghinkul, a Dridex distributor known as “Smilex.”
Within weeks, Evil Corp adapted the malware and infrastructure to resume its criminal activities.
But let’s hope that some bounty hunter can bring one more Evil Corp boss to justice.

Published with permission from Sophos Naked Security

Related Posts