Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/29/2015
05:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Russian Developer of the Notorious Citadel Malware Sentenced to Prison

ATLANTA—Dimitry Belorossov, a/k/a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods.

“Global cyber-crime requires a global response, and this case is a perfect example,” said U.S. Attorney John Horn. “This defendant committed computer hacking offenses on victims in the United States from the relative safety of his home country of Russia, but he was arrested by our law enforcement partners in Spain. As malware and hacking toolkits continue to victimize computer users around the world, we will step up our efforts to focus internationally on the criminals who develop these programs.”

“The FBI, in working with its international partners, continues to demonstrate that international boundaries no longer provide a safe haven for cybercriminals targeting U.S. individuals or interests domestically. Successful investigation and prosecution of cases such as this are directly attributable to the increased capabilities and determination of our cyber trained investigators and our foreign based legal attachés working collectively to not only disrupt and dismantle these foreign based hacking efforts, but also to bring those individuals responsible to justice,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office.

According to U.S. Attorney Horn, the charges and other information presented in court: In late 2011, a malicious software toolkit named “Citadel” began appearing for sale on invite-only Internet website forums frequented by cybercriminals. Citadel was a sophisticated form of malware known as a “banking Trojan” designed to steal online banking credentials, credit card information, personally identifiable information, and, ultimately, funds through unauthorized electronic transfers. Citadel electronically infected the computers of unsuspecting individuals and financial institutions, creating “bots,” which cybercriminals, such as Belorossov, then remotely accessed and controlled.

Cybercriminals, including Belorossov, distributed and installed Citadel onto victim computers through a variety of infection methods, including malicious attachments to spam e-mails and commercial Internet ads containing malware or links to malware. Since 2011, multiple versions of Citadel have been distributed and operated throughout the world. Citadel became one of the most advanced crimeware tools available in the underground market, as it had the capability, among other things, to block antivirus sites on infected computers. According to industry estimates, Citadel, and other botnets like it, infected approximately 11 million computers worldwide and are responsible for over $500 million in losses.

In 2012, Belorossov downloaded a version of Citadel, which he then used to operate a Citadel botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for U.S.-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.

In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the Internet and electronically communicating with other cybercriminals via e-mail and instant messaging.

For example, in 2012 Belorossov made numerous postings to Citadelmovement.com, an online forum in which Belorossov discussed his Citadel botnet and recommended improvements to the Citadel malware. In those postings, which were in Russian, Belorossov shared his concurrence with the improvements to Citadel recommended by others and commented on the efficacy of additional criminal functions other customers had recommended as enhancements to the Citadel malware.

Belorossov, 22, of St. Petersburg, Russia, has been sentenced by U.S. District Court Chief Judge Thomas W. Thrash Jr., to four years, six months in prison, to be followed by three years of supervised release, and ordered to pay restitution in the amount of $322,409.09. Belorossov was convicted on July 18, 2014, after he pleaded guilty.

This case was investigated by the Federal Bureau of Investigation.

Assistant U.S. Attorneys Steven D. Grimberg and Scott Ferber prosecuted the case.

For further information please contact the U.S. Attorney’s Public Affairs Office at [email protected] or (404) 581-6016. The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.