GOLD EVERGREEN

GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN's technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka "slavik") who was indicted by the U.S. DOJ in 2014 and remains a fugitive.

GOLD EVERGREEN primarily operated these botnets to facilitate both their own financial fraud and that of many affiliates who paid for access to the botnets or the data generated by infections. From 2011 to 2014, separate segments of the Gameover Zeus botnet were created to carry out espionage activity against infected hosts. The threat actors used the malware to search systems for keywords related to military and intelligence topics in Ukraine, Georgia, Turkey, and in the United States. At the time all these subjects were of key strategic importance to Russia and CTU researchers assess with moderate confidence that one or more operators of Gameover Zeus were collaborating with Russian intelligence services.

In May 2013 the group began distributing a novel screen locking ransomware family to a small number of hosts infected with Gameover Zeus. In early November 2013 this ransomware family was rebranded as CryptoLocker and equipped with the ability to systematically encrypt files on infected systems. While not the first file-encrypting ransomware family it was the first to be both competently designed and widely distributed. The emergence of CryptoLocker created a global trend of high-volume distribution of ransomware through spam and exploit kits across the Internet. Like Zeus and it's numerous successors, CryptoLocker is thought to have been authored by slavik.

Slavik was reported to have an acrimonious relationship with other group members which led, along with other factors, to these members seeking to more closely control their own fraud operations. By late 2013 several of these members had begun working on similarly capable banking malware variants based on the Bugat source code or developed organically, like Dyre. In May 2014 international law enforcement and industry intervention disrupted the Gameover Zeus botnet and further exacerbated these intra-group rifts. Several threat groups emerged from GOLD EVERGREEN and remain active including GOLD CRESTWOOD (Emotet), GOLD BLACKBURN (TrickBot), and GOLD DRAKE (Dridex).