Organization Excels at Niche Branding but Stumbles in Avoiding Enforcement

The first paragraph of the press release sums it up:

Today the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action against Evil Corp, the Russia-based cybercriminal organization responsible for the development and distribution of the Dridex malware.  Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.  This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers.  Concurrent with OFAC’s action, the Department of Justice charged two of Evil Corp’s members with criminal violations, and the Department of State announced a reward for information up to $5 million leading to the capture or conviction of Evil Corp’s leader.  These U.S. actions were carried out in close coordination with the United Kingdom’s National Crime Agency (NCA).  Additionally, based on information obtained by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) released previously unreported indicators of compromise associated with the Dridex malware and its use against the financial services sector.

The Department of Treasury press release is extremely detailed.  Summarized very broadly, it observes that OFAC’s designation targets 17 individuals and seven entities, including Evil Corp, its “core cyber operators, multiple businesses associated with a group member, and financial facilitators utilized by the group.”  The designation means that all property and interests in property of these persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited in engaging in transactions with them.  As noted below, the U.S. government is alleging that these cyber criminals are working with the Russian government.

The Russian Connection

As noted, the Department of Justice also obtained indictments against two members of Evil Corp, Maksim V. Yakubets and Igor Turashev (both Russians), charging them with conspiracy, computer hacking, wire fraud, and bank fraud.  In part, the indictment alleges that “Yakubets and Turashev victimized mulple entities, including two banks, a school district, and four companies including a petroleum business, building materials supply company, vacuum and thin film deposition technology company and metal manufacturer in the Western District of Pennsylvania and a firearm manufacturer.”  Interestingly, the Treasury Department alleges that, “in addition to his involvement in financially motivated cybercrime, the group’s leader, Maskim Yakubets, also provides direct assistance to the Russian government’s malicious cyber efforts, highlighting the Russian government’s enlistment of cybercriminals for its own malicious purposes.”

Dridex Revealed

The malware is described thusly, and its mechanisms are summarized in a graphic in the Treasury Department’s press release:

Dridex is traditionally spread through massive phishing email campaigns that seek to entice victims to click on malicious links or attachments embedded within the emails.  Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group.  As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses.  In particular, Evil Corp heavily targets financial services sector organizations located in the United States and the United Kingdom.  Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.

Here is the graphic:

An Alert to Financial Institutions

In a joint Alert directed to financial institutions, and in collaboration with the Department of the Treasury’s Financial Sector Cyber Information Group (CIG), FinCEN and the Cybersecurity and Infrastructure Security Agency (CISA) seek to warn and inform the financial sector about the Dridex malware and variants by providing an overview of the malware and a list of previously-unreported indicators of cyber compromise derived from information reported to FinCEN by private sector financial institutions.

The Alert is detailed and technical, and it provides recommendations on how to mitigate and respond to the Dridex malware, as well as cybersecurity best practices.  Any financial institution’s tech and/or internal security personnel should review the Alert, which also provides contact information at the FBI and CISA for businesses to report an intrusion and request resources for incident response or technical assistance.