Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang

Monday, July 29, 2019

Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to take a closer look at the "Jabber ZeuS" including Evgeniy Mikhaylovich Bogachev for the purpose of providing actionable intelligence on the fraudulent and malicious infrastructure that was utilized in the campaign including personally identifiable information of the individuals behind it with the idea to assist law enforcement and the U.S Intelligence community with the necessary data to track down and prosecute the individuals behind the campaign.

In this post I'll provide actionable intelligence on the infrastructure used by the "Jabber ZeuS" gang including personally identifiable information for Evgeniy Mikhaylovich Bogachev and some of his known associates.

Sample Personal Photos of Evgeniy Mikhaylovich Bogachev:

Slavik's IM and personal email including responding IP:
[email protected] - 112.175.50.220

Personal Address:
Lermontova Str. Anapa, Russian Federation

Instant Messaging account:
[email protected]

Related name servers:
ns.humboldtec.cz - 88.86.102.49
ns2.humboldtec.cz - 188.165.248.173

Related domains part of a C&C phone-back location:
hxxp://slaviki-res1.com
hxxp://slavik1.com - 91.213.72.115
hxxp://slavik2.com
hxxp://slavik3.com

Slavik's primary email:
[email protected]

Slavik's ICQ numbers:
ICQ - 42729771
ICQ - 312456

Related emails known to have participated in the campaign:
[email protected]
[email protected]
[email protected]

Related domains known to have participated in the campaign:
hxxp://visitcoastweekend.com - 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163
hxxp://incomeet.com - 192.186.226.71; 66.199.248.195
hxxp://work.businessclub.so

Related information on his colleague (chingiz) as seen in the attached screenshot:

Real Name: Galdziev Chingiz

Related domains known to have participated in the campaign:
hxxp://fizot.org
hxxp://fizot.com - 50.63.202.35; 184.168.221.33
hxxp://poymi.ru - 109.206.190.54

Related name servers known to have participated in the campaign:
ns1.fizot.com - 35.186.238.101
ns2.fizot.com

Related domain including an associated email using the same name server:
hxxp://averfame.org - [email protected]

Google Analytics ID: UA-3816538

Related domains known to have participated in the campaign:
hxxp://awmproxy.com
hxxp://pornxplayer.com

Related emails known to have participated in the campaign:
[email protected]
[email protected]
[email protected]

Related domains known to have responded to the same malicious and fraudulent IP - 178.162.188.28:
hxxp://dnevnik.cc
hxxp://xvpn.ru
hxxp://xsave.ru
hxxp://anyget.ru
hxxp://nezayti.ru
hxxp://proproxy.ru
hxxp://hitmovies.ru
hxxp://appfriends.ru
hxxp://naraboteya.ru
hxxp://naraboteya.ru
hxxp://awmproxy.com
hxxp://zzyoutube.com
hxxp://pornxplayer.com
hxxp://awmproxy.net
hxxp://checkerproxy.net

Related domains known to have participated in the campaign:
hxxp://fizot.livejournal.com/
hxxp://russiaru.net/fizot/

Instant Messaging Account:
ICQ - 795781

Related personally identifiable information of Galdziev Chingiz:
hxxp://phpnow.ru
ICQ - 434929
Email: [email protected]

Related domains known to have participated in the campaign:
hxxp://filmv.net
hxxp://finance-customer.com
hxxp://firelinesecrets.com
hxxp://fllmphpxpwqeyhj.net
hxxp://flsunstate333.com

Related individuals known to have participated in the campaign:
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits

Related Instant Messaging accounts and emails known to have participated in the campaign:
[email protected]
[email protected]
[email protected]
[email protected],
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
getreadysafebox.ru
john.mikleymaiI.com
aIexeysafinyahoo.corn
[email protected]
[email protected],
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected].
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

We'll post new updates as soon as new developments take place.

Related posts:
Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis
Who's Behind the Syrian Electronic Army? - An OSINT Analysis

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at [email protected]