Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/29/2015
05:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Russian Developer of the Notorious Citadel Malware Sentenced to Prison

ATLANTA—Dimitry Belorossov, a/k/a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods.

“Global cyber-crime requires a global response, and this case is a perfect example,” said U.S. Attorney John Horn. “This defendant committed computer hacking offenses on victims in the United States from the relative safety of his home country of Russia, but he was arrested by our law enforcement partners in Spain. As malware and hacking toolkits continue to victimize computer users around the world, we will step up our efforts to focus internationally on the criminals who develop these programs.”

“The FBI, in working with its international partners, continues to demonstrate that international boundaries no longer provide a safe haven for cybercriminals targeting U.S. individuals or interests domestically. Successful investigation and prosecution of cases such as this are directly attributable to the increased capabilities and determination of our cyber trained investigators and our foreign based legal attachés working collectively to not only disrupt and dismantle these foreign based hacking efforts, but also to bring those individuals responsible to justice,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office.

According to U.S. Attorney Horn, the charges and other information presented in court: In late 2011, a malicious software toolkit named “Citadel” began appearing for sale on invite-only Internet website forums frequented by cybercriminals. Citadel was a sophisticated form of malware known as a “banking Trojan” designed to steal online banking credentials, credit card information, personally identifiable information, and, ultimately, funds through unauthorized electronic transfers. Citadel electronically infected the computers of unsuspecting individuals and financial institutions, creating “bots,” which cybercriminals, such as Belorossov, then remotely accessed and controlled.

Cybercriminals, including Belorossov, distributed and installed Citadel onto victim computers through a variety of infection methods, including malicious attachments to spam e-mails and commercial Internet ads containing malware or links to malware. Since 2011, multiple versions of Citadel have been distributed and operated throughout the world. Citadel became one of the most advanced crimeware tools available in the underground market, as it had the capability, among other things, to block antivirus sites on infected computers. According to industry estimates, Citadel, and other botnets like it, infected approximately 11 million computers worldwide and are responsible for over $500 million in losses.

In 2012, Belorossov downloaded a version of Citadel, which he then used to operate a Citadel botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for U.S.-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.

In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the Internet and electronically communicating with other cybercriminals via e-mail and instant messaging.

For example, in 2012 Belorossov made numerous postings to Citadelmovement.com, an online forum in which Belorossov discussed his Citadel botnet and recommended improvements to the Citadel malware. In those postings, which were in Russian, Belorossov shared his concurrence with the improvements to Citadel recommended by others and commented on the efficacy of additional criminal functions other customers had recommended as enhancements to the Citadel malware.

Belorossov, 22, of St. Petersburg, Russia, has been sentenced by U.S. District Court Chief Judge Thomas W. Thrash Jr., to four years, six months in prison, to be followed by three years of supervised release, and ordered to pay restitution in the amount of $322,409.09. Belorossov was convicted on July 18, 2014, after he pleaded guilty.

This case was investigated by the Federal Bureau of Investigation.

Assistant U.S. Attorneys Steven D. Grimberg and Scott Ferber prosecuted the case.

For further information please contact the U.S. Attorney’s Public Affairs Office at [email protected] or (404) 581-6016. The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33818
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2021-33820
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
CVE-2021-33822
PUBLISHED: 2021-06-18
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2020-18442
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
CVE-2021-3604
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.