The author behind one strain of banking malware, Gozi, has plead guilty and is awaiting sentencing while two other men, who allegedly had a hand in developing the banking malware Citadel and Dridex, were recently apprehended.
Latvian Deniss Calovskis, 30, acknowledged in a federal court in New York on Friday that he wrote some of the code behind Gozi, a Trojan that ultimately wound up infecting more than a million machines worldwide five years ago.
Calovskis was charged with several counts, including computer intrusion, conspiracy to commit bank and wire fraud and access device fraud, alongside two others, Mihai Ionut Paunescu, from Romania and Nikita Vladimirovich Kuzmin, from Russia, back in January 2013 – but this is the first time he’s actually confessed to the crimes.
According to Reuters, Calovskis, who’s set to be sentenced on Dec. 14 and has long refuted his involvement in Gozi, acknowledged his wrongdoing.
“I knew what I was doing was against the law,” Calovskis said in court Friday.
Calovskis, who’s been in custody since his extradition in February, was initially arrested in November 2012 and held for 10 months in jail. Of the others involved, Kuzmin, the alleged mastermind behind the scheme, pleaded guilty back in May 2011 and Pauneschu was arrested in December 2012 but still hasn’t been extradited.
Calovskis and cohorts raked in tens of millions of dollars through distributing the malware, according to a 2013 statement from FBI’s Assistant Director in Charge George Venizelos.
Initially spread through infected PDF documents, Gozi was given a jumpstart in 2013 when it was caught infecting computer Master Boot Records (MBR) with a rootkit.
In addition to the Gozi news, a blog post at Krebs on Security over the weekend, citing two foreign publications, points out that two men allegedly connected to both the Citadel and Dridex malware campaigns were recently arrested.
Krebs links to a short report from late August published in the Cyprus Mail that describes how a 30-year-old Moldovan man was arrested for “conspiring to commit millions of dollars worth of bank fraud using a PC.” While the report doesn’t specifically mention Dridex by name, Krebs claims that “sources close to the investigation” believe the man is a “key figure in an organized crime gang responsible for developing and using” the banking Trojan.
The Dridex Trojan has gained a good deal of traction this year, mostly by exploiting malicious macros embedded in Microsoft Office programs. Several malicious spam and phishing campaigns were spotted in January and March this year spreading the malware via macros in XML files and via the AutoClose method.
Krebs also references a separate report from a Norwegian newspaper, VG, that claims a 27-year old Russian man who was recently arrested may be behind the Citadel malware. The report claims the man – referred to only as Mark – has been under house arrest for 11 months while the U.S. government works out his extradition from Russia. The article claims that the U.S. Department of Justice believes Mark uses the handle Aquabox, the same name the person believed to be behind the Zeus variant used.
Dissent between Russia and the US has prevented extradition to date, the publication claims.
While iterations of Citadel have been around for years, a handful of newer Citadel variants flooded the market in 2014, including versions that targeted password managers, versions that were used in attacks against Middle Eastern petrochemical companies, and versions that gave attackers remote access, even after the malware was removed.