The June arrest of a Russian cybercrime gang responsible for the Lurk Trojan also put to rest the infamous Angler Exploit Kit.
Researchers at Kaspersky Lab today published a detailed report on the Lurk takedown, confirming at the same time the connection between the Lurk gang and Angler.
Activity around Angler all but disappeared once the arrests were made, and the Kaspersky report says clues in the gang’s IT infrastructure left little doubt that these were the criminals responsible for developing and distributing Angler.
Angler was one of the most notorious exploit kits on the Internet, updated frequently and sold underground to criminals wishing to distribute everything from adware, to click-fraud malware, to ransomware.
The Lurk gang’s takedown this spring put an end to Angler’s run, and came after a period of carelessness on its keepers’ behalf, Kaspersky Lab’s Ruslan Stoyanov said.
“Either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions,” Stoyanov wrote. “They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money. But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year.”
Russian law enforcement arrested 50 people in June connected to the Lurk gang, charging them with stealing $45 million from banks and other businesses during its five-year operation. Initially, the Angler Exploit Kit was built solely to distribute the Lurk banking Trojan, and for a while, the Lurk gang kept this a closed-door private operation, Kaspersky Lab said.
In 2013 and 2014, however, hard financial times hit the outfit, Stoyanov said, and the group needed to find revenue to support its network infrastructure and pay employees.
It was then when they decided to rent out the Angler platform on a number of underground forums.
“We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main business–robbing organizations–was decreasing due to a set of security measures implemented by remote banking system software developers,” Stoyanov said.
Kaspersky began in 2011 investigating a number of cyber-related thefts at Russian banks where criminals were infecting financial systems with malware that was interacting with RBS software, Stoyanov said. Most banks in 2011, Stoyanov said, were not as vigilant about additional forms of authentication meaning attackers needed only to infect a system running RBS software to steal cash. Banks were falling victim in record numbers.
By making Angler available to the market, the gang began to recoup some of its losses, Stoyanov said, and a once-private delivery mechanism for financial malware was now one of the most widely used exploit kits targeting vulnerabilities in browsers, ad networks and third-party software.
“Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” Stoyanov said. “Even though many small and medium-sized groups were willing to ‘work’ with them, they always preferred to work by themselves. So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.
“In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations,” Stoyanov said. “It didn’t take long for it to become one of the key tools on the criminal-to-criminal market.”