Jabber Zeus

Jabber Zeus is a banking Trojan and associated cybercriminal operation active primarily around 2009 to 2010. It is described as the second main iteration of Zeus, succeeding Zeus and preceding Gameover Zeus, and is also referred to in the content as ZeuS 2.1.0.X, Licat, and Murofet. The malware was used by a syndicate based in Russia, Ukraine, and the United Kingdom to target small businesses via spam emails, steal online banking credentials and one-time passwords, and exfiltrate stolen data in real time over the Jabber protocol. The operation then laundered proceeds through a large money mule network reported as exceeding 3,500 mules. The content attributes primary development of Jabber Zeus to Evgeniy Bogachev, with Vyacheslav Penchukov coordinating stolen credential movement and mule operations, and Maksim Yakubets managing mule recruitment; another alleged developer/operator identified as MrICQ is Yuriy Igorevich Rybtsov. Reported enhancements added in September 2010 included a domain generation algorithm, regular expression support, file infection capability, and encrypted distribution, with each copy requiring a $10,000 encryption key purchased by Penchukov. The botnet was used for large-scale financial theft, with at least $70 million reportedly stolen, and the content also states it was suspected of supporting espionage activity in Georgia, Turkey, and Ukraine. Law-enforcement reporting in the content links the malware and group to Operation Trident Breach, a joint action involving U.S., U.K., Ukrainian, Dutch, and Russian agencies, after which the operation was disrupted and later re-emerged as Gameover Zeus. High-confidence behavioral indicators from the content are spam-based delivery, theft of banking credentials and OTPs, real-time Jabber-based exfiltration, botnet operation, DGA use, encrypted distribution, and file infection capability.