Two individuals have been arrested in Australia and the U.S. in connection with an alleged scheme to develop and distribute a remote access trojan called Hive RAT (previously Firebird).

The U.S. Justice Department (DoJ) said the malware “gave the malware purchasers control over victim computers and enabled them to access victims’ private communications, their login credentials, and other personal information.”

A 24-year-old individual named Edmond Chakhmakhchyan (aka “Corruption”) from Van Nuys in Los Angeles, California, was taken into custody after he was caught selling a license of Hive RAT to an undercover employee of a law enforcement agency.

He has been charged with one count of conspiracy and one count of advertising a device as an interception device, each of which carries a penalty of five years in prison. Chakhmakhchyan pleaded not guilty and was ordered to stand trial on June 4, 2024.

Court documents allege a partnership between the malware’s creator and the defendant under which the latter would post advertisements for the malware on a cybercrime forum called Hack Forums, accept cryptocurrency payments from customers, and offer product support.

Hive RAT comes with capabilities to terminate programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets from victims’ machines without their knowledge or consent.

“Chakhmakhchyan exchanged electronic messages with purchasers and explained to one buyer that the malware ‘allowed the Hive RAT user to access another person’s computer without that person knowing about the access,'” the DoJ said.

The Australian Federal Police (AFP), which announced charges of its own against a citizen for their purported involvement in the creation and sale of Hive RAT, said its investigation into the matter began in 2020.

The unnamed suspect faces 12 charges, including one count of producing data with intent to commit a computer offense, one count of controlling data with intent to commit a computer offense, and 10 counts of supplying data with intent to commit a computer offense. The maximum penalty for each of these offenses is three years imprisonment.

“Remote Access Trojans are one of the most harmful cyber threats in the online environment – once installed onto a device, a RAT can provide criminals with full access to, and control of the device,” AFP Acting Commander Cybercrime Sue Evans said.

“This could include anything from committing crimes anonymously, watching victims through camera devices, wiping hard drives, or stealing banking credentials and other sensitive information.”

Nebraska Man Indicted in Cryptojacking Scheme

The development comes as federal prosecutors in the U.S. indicted Charles O. Parks III (aka “CP3O”), 45, for operating a massive illegal cryptojacking operation, defrauding “two well-known providers of cloud computing services” out of more than $3.5 million in computing resources to mine cryptocurrency worth nearly $1 million.

The indictment charges the Parks with wire fraud, money laundering, and engaging in unlawful monetary transactions. He was arrested on April 13, 2024. The wire fraud and money laundering charges carry a maximum sentence of 20 years’ imprisonment. He also faces a 10 years’ imprisonment on the unlawful monetary transactions charges.

While the DoJ does not explicitly state what cloud providers were targeted in the fraudulent operation, it noted that the companies are based in the Washington state cities of Seattle and Redmond – the corporate headquarters for Amazon and Microsoft.

“From in or about January 2021 through August 2021, Parks created and used a variety of names, corporate affiliations and email addresses, including emails with domains from corporate entities he operated […] to register numerous accounts with the cloud providers and to gain access to massive amounts of computing processing power and storage that he did not pay for,” the DoJ said.

The illicitly obtained resources were then used to mine cryptocurrencies such as Ether (ETH), Litecoin (LTC) and Monero (XMR), which were laundered through a network of cryptocurrency exchanges, a non-fungible token (NFT) marketplace, an online payment provider, and traditional bank accounts to conceal digital transaction trail.

The ill-gotten proceeds, prosecutors said, were ultimately converted into dollars, which Parks used to make various extravagant purchases that included a Mercedes Benz luxury car, jewelry, and first-class hotel and travel expenses.

“Parks tricked the providers into approving heightened privileges and benefits, including elevated levels of cloud computing services and deferred billing accommodations, and deflected inquiries from the providers regarding questionable data usage and mounting unpaid subscription balances,” the DoJ said.

Feb 18, 2024NewsroomMalware / Cybercrime

A Ukrainian national has pleaded guilty in the U.S. to his role in two different malware schemes, Zeus and IcedID, between May 2009 and February 2021.

Vyacheslav Igorevich Penchukov (aka Vyacheslav Igoravich Andreev, father, and tank), 37, was arrested by Swiss authorities in October 2022 and extradited to the U.S. last year. He was added to the FBI’s most-wanted list in 2012.

The U.S. Department of Justice (DoJ) described Penchukov as a “leader of two prolific malware groups” that infected thousands of computers with malware, leading to ransomware and the theft of millions of dollars.

This included the Zeus banking trojan that facilitated the theft of bank account information, passwords, personal identification numbers, and other details necessary to login to online banking accounts.

Penchukov and his co-conspirators, as part of the “wide-ranging racketeering enterprise” dubbed Jabber Zeus gang, then masqueraded as employees of the victims to initiate unauthorized fund transfers.

They also used individuals residing in the U.S. and other parts of the world as “money mules” to receive the wired funds, which were ultimately funneled to overseas accounts controlled by Penchukov et al. A successor to Zeus was dismantled in 2014.

The defendant has also been accused of facilitating malicious activity by helping lead attacks involving the IcedID (aka BokBot) malware from at least November 2018. The malware is capable of acting as an information stealer and a loader for other payloads, such as ransomware.

Ultimately, as investigative journalist Brian Krebs reported back in 2022, he managed to evade prosecution by Ukrainian cybercrime investigators for many years due to his political connections with former Ukrainian President Victor Yanukovych.

Following his arrest and extradition, Penchukov pleaded guilty to one count of conspiracy to commit a racketeer-influenced and corrupt organization (RICO) act offense for his leadership role in the Jabber Zeus group. He also pleaded guilty to one count of conspiracy to commit wire fraud for his leadership role in the IcedID malware group.

Penchukov is scheduled to be sentenced on May 9, 2024, and faces a maximum penalty of 20 years in prison for each count.

The development comes as the DoJ announced the extradition of a 28-year-old Ukrainian national from the Netherlands in connection with fraud, money laundering and aggravated identity theft by allegedly operating and advertising an information stealer known as Raccoon.

Mark Sokolovsky, who was arrested by Dutch authorities in March 2022, leased Raccoon to other cybercriminals on a malware-as-a-service (MaaS) model for $200 a month. It first became available in April 2019.

“These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims,” the DoJ said.

“Raccoon infostealer then stole personal data from victim computers, including login credentials, financial information, and other personal records. Stolen information was used to commit financial crimes or was sold to others on cybercrime forums.”

At least 50 million unique credentials and forms of identification have been harvested by the malware, according to the U.S. Federal Bureau of Investigation (FBI) estimates.

Sokolovsky’s arrest was accompanied by a coordinated takedown of Raccoon’s digital infrastructure, but a new version of the stealer, called RecordBreaker, has since emerged in the wild.

He has been charged with one count of conspiracy to commit fraud and related activity in connection with computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering, and one count of aggravated identity theft.

Jan 26, 2024NewsroomCyber Crime / Malware

40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.

The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

“Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses,” DoJ said. “While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants.”

Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022.

The cybercrime crew’s allegiance to Russia during the Russo-Ukrainian war led to a series of leaks dubbed ContiLeaks and TrickLeaks, which precipitated its shutdown in mid-2022, resulting in its fragmentation into numerous other ransomware and data extortion groups.

Dunaev is said to have provided specialized services and technical abilities to further the TrickBot scheme between June 2016 and June 2021, using it to deliver ransomware against hospitals, schools, and businesses.

Specifically, the defendant developed browser modifications and malicious tools that made it possible to harvest credentials and sensitive data from compromised machines as well as enable remote access. He also created programs to prevent the Trickbot malware from being detected by legitimate security software.

Another TrickBot developer, a Latvian national named Alla Witte, was sentenced to two years and eight months in prison in June 2023.

News of Dunaev’s sentencing comes days after governments from Australia, the U.K., and the U.S. imposed financial sanctions on Alexander Ermakov, a Russian national and an affiliate for the REvil ransomware gang, for orchestrating the 2022 attack against health insurance provider Medibank.

Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT.

As JimJones, he has also been observed attempting to recruit unethical penetration testers who would supply login credentials for vulnerable organizations for follow-on ransomware attacks in exchange for $500 per access and a 5% cut of the ransom proceeds.

“These identifiers are linked to a wide range of cybercriminal activity, including network intrusions, malware development, and ransomware attacks,” the company said, offering insights into his cybercrime history.

“Ermakov had a robust presence on cybercriminal forums and an active role in the cybercrime-as-a-service economy, both as a buyer and provider and also as a ransomware operator and affiliate. It also appears that Ermakov was involved with a software development company that specialized in both legitimate and criminal software development.”