2.5   GozNym cybercrime network dismantled by international police efforts
On May 16, police in six countries along with the US Justice Department and Europol announced the takedown of GozNym—linked with another operation known as Avalanche, an associated cybercrime operation that was largely dismantled in 2016—including the arrest of five of its members across Bulgaria, Georgia, Moldova, and Ukraine.  Five more alleged members remain at large in Russia. In total, the operation infected 41,000 computers with fraud-focused malware, and attempted to steal $100mn from victims in the US, though it's not clear exactly how much of that alleged theft was successfully pulled off.
The indictment lays out how the long chain of claimed cybercrime specialists in former USSR countries Russia, Georgia, Ukraine and Moldova worked.
A Russian man, Vladimir Gorin, is accused of creating, developing, and managing the Goznym banking malware. Once installed on a machine, it acted as a keylogger, and hijacked victims' web browsers to inject phishing fields into banking websites when they attempted to log in, stealing their credentials to gain control of their accounts. The malware included a field in the browser designed to trick victims into entering a second factor code, too, intercepting that code and using it in real time to defeat two-factor authentication.
Gorin allegedly leased that Goznym malware to Alexander Konovolov, the Georgian defendant named as the leader of the group, responsible for overseeing its operations and controlling the tens of thousands of infected computers in its botnet. Officials say he was aided by Marat Kazandjian, a technical assistant and administrator.
A Ukrainian named Gennady Kapkanov, arrested earlier this year, is accused of renting out the infrastructure for the operation as a so-called "bulletproof" hosting provider. In fact, his Avalanche network provided hosting for more than 20 different malware operations, according to the indictment. While a part of that operation was disrupted in 2016, Kapkanov eluded capture at the time—despite reportedly firing an AK-47 at police from his window—when a judge released him due to a mistake in charging documents.
A Moldovan man, Eduard Malanici, is accused of "crypting" the Goznym malware, obfuscating its code to hide it from antivirus software.
A Russian man, Konstantin Volchov, allegedly ran the spamming operation that sprayed phishing emails out to potential victims, in the hopes that some might click on malicious attachment or links that would install Goznym on their computers.
Once Goznym was installed and a victim's credentials were stolen, the malware sent those credentials to an administration panel. Two men, a Russian named Ruslan Katirkin and a Bulgarian named Krasimir Nikolov, allegedly controlled that panel and served as the group's "account takeover" specialists, logging into the victim's accounts and attempting to steal their funds through electronic transfers like wire transfers and ACH payments.
9  GEORGIA Country Report  June 2019    www.intellinews.com