Researchers have linked one of the world’s most-used banking malware attack tools to an espionage campaign that may be tied to the Russian government.
Fox-IT researchers reported uncovering the campaign in a GameOver Zeus (GOZ) Backgrounds on the Bad Guys and Backends threat report.
GOZ is a financially focused malware designed to steal valuable information from machines, such as bank account numbers, passwords, personal identification numbers, and online banking account login details.
It was one of the most successful botnet attack tools used by cyber criminals and is believed to have enslaved between 500,000 to a million computers at its peak.
The threat paper reported the Zeus malware had a secondary, previously undiscovered, espionage capability.
“Some of the more unusual instances of GOZ , were specific botnets that were not used for typical fraud, but instead for espionage,” read the paper.
“One instance focused on Georgia and Turkey, the botnets contained a number of commands issued to specifically these countries, with queries which were very detailed, including searches for documents with certain levels of government secret classifications.”
The report said the hackers’ espionage efforts were in line with Russian government interests. The researchers highlighted one instance where the attackers began targeting Ukraine as evidence of their claim.
“After the recent political changes in Ukraine, which led to a more pro-western government, one botnet which had been previously used for banking fraud, was then used for a large amount of infections in Ukraine to search for certain types of politically sensitive information,” read the paper.
The FBI believes GOZ was created by Evgeniy “Slavik” Bogachev and is currently offering a $US4.2 million bounty for information that may lead to his arrest.
Despite the bounty, law enforcement have not been able to find Bogachev. The Fox-IT paper suggested this could be because the Russian government is offering him aid.
“After looking at the whole set of search queries, it is quite likely that Slavik, who had set up and enjoyed full access to these specific ZeuS command and control servers, was involved in more than just the crime ring around [GOZ],” reads the paper.
“We could speculate that due to this part of his work he had obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia. This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended.”
Business Insider has reached out to the Russian embassy in London for comment.