tl;dr
The threat group known as Evil Corp has shown they have resilience as they continue to iterate and regroup in an effort to evade sanctions. Today, the National Crime Agency (NCA) named another member of the infamous group, Alexsandr Rhyzenkov, has been named as the leader’s right hand man.
In addition to this news, we’re also sharing domains associated with Evil Corp over the past several years in the hope that the community can better understand their infrastructure and prevent future attacks.
History of Evil Corp – How Did We Get Here?
Evil Corp (not to be confused with E Corp from Mr. Robot) is a prolific and dangerous cybercrime group hailing from Russia. Their primary claim to fame is the development and distribution of Dridex malware (also known as ‘Bugat’), which was designed to steal confidential information, such as banking credentials along with personally identifiable information (PII).
The group has been active for over a decade and has harvested banking credentials from over 300 banks and financial institutions in over 40 countries, though as of late, they primarily target the United States and United Kingdom.
The leader of the gang, Maksim “Aqua” Yakbets, was an early adopter in terms of moving Evil Corp to an affiliate model, selling access to Dridex malware to other malicious actors, allowing Evil Corp to pocket a percentage of the additional revenues.
While Russia initially provided some assistance to the United States regarding the whereabouts of Yakubets, they ceased participation in the investigation, spurring rumors that Yakubets is working for the Federal Security Service of the Russian Federation (FSB). Given Yakubets’ father-in-law is an ex-FSB officer, these claims have some merit. Additionally, it is reported that several of Evil Corps’ members are related to high-ranking Russian officials. A report from the NCA, FBI, and AFP sheds further light on the connections and collaboration that Evil Corp has historically had with the Russian government, including the personal ties between Evil Corp members and campaigns undertaken on behalf of their security services.
In 2019, the US Treasury Department issued sanctions against Yakubets and his associates; should any of the listed individuals leave Russia, they ought to be arrested. The bounty placed on Yakubets’ head is $5,000,000.
Evil Corp Timeline of Events
Here’s what Evil Corp has been up to in the last five years:
While the members of Evil Corp and their activities predate 2019, going back to 2007 and the formation of what was known as The Business Club, the group started to adopt the Evil Corp identity in 2013, registering the domain ev17corp[.]biz on February 15th, 2013. Since the launch of Dridex in 2014, their activities have been consolidated under the new moniker. It was a few years later that Evil Corp began deploying ransomware via their botnet; first using Bitpaymer and later developing and deploying DoppelPaymer in their ransomware attacks. Around the same time, Evil Corp actors Yakubets and Alexsandr Ryzhenkov began the development of what would ultimately become the ransomware known as WastedLocker.
In 2019, law enforcement actions and imposed sanctions prohibited ransom payments to Evil Corp. The group retaliated by obfuscating their activities in the hope of continuing their operations. This included a shift away from the Dridex botnet in favor of SocGholish as an initial access tool. Later it was followed by the development and adaptation of numerous ransomware strains including Hades, Phoenix Locker, PayloadBIN and Macaw to try and further evade sanctions. In June of 2022, Mandiant reported on a tie between Evil Corp and Lockbit as further evidence of their efforts to continue operations and facilitate ransomware payments to the group. In the report by the NCA and law enforcement partners, it is also stated that Ryzhenkov, identified as “Yakubets’ right hand man,” is a Lockbit affiliate and has been tied to numerous Lockbit attacks.
Beyond the individual actors that have been historically associated with Evil Corp, and reiteration of Yakubets’ role in the organization, the identification of Alexsandr Ryzhenkov is notable, and we believe has not been previously disclosed. Given his reported involvement in the development of Dridex and subsequent ransomware variants, this would surely warrant the same treatment as other cybercriminals who have recently been indicted, including actors associated with Trickbot.
This report by law enforcement is an important reminder of the threat these groups pose and the efforts they undertake to continue their malicious activity. While Evil Corp has long been a known actor group, their continued recidivism and history of adapting their tactics, techniques, and procedures (TTPs) makes them a relevant and persisting threat. Sharing information about their activities and TTPs is important in the collective effort to defend against them.
To those ends, we have included a list of domains associated with Evil Corp over the past few years. While it is not exhaustive, it hopefully provides an illustration of the scale at which many of these groups operate and the use of domains in their C2 infrastructure.
A reminder about the importance of DNS and Domain Intelligence
Utilizing DNS and domain intelligence can be powerful in the fight against cybercrime groups like Evil Corp:
- De-anonymizing Malicious Actors: Tracking domains used by ransomware threat actors can reveal potential patterns, making them easier to identify
- Early Detection: By actively monitoring DNS logs, your security team can block malicious domains, preventing employees from receiving phishing emails that could lead to downloadable payloads. Additionally, this means you can block suspicious domains before phishing emails are sent, ensuring employees don’t have the opportunity to interact with them or download malicious payloads
- Incident Response: In the event a ransomware attack does take place, monitoring DNS logs helps trace the origin of the attack and understand its spread in the network, making an effective response and recovery
Heading
