Overslaan naar hoofdinhoud

Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool

30 augustus 2016

At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia

At the beginning of the summer, Kaspersky Labassistedin the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia. It was the largest financial cybercrime group to be caught in recent years. However, this wasn’t the only cybercriminal activity Lurk group has been involved in. According to analysis of the IT infrastructure behind the Lurk malware, its operators were developing and renting their exploit kit out to other cybercriminals. Their Angler exploit kit is a set of malicious programs capable of exploiting vulnerabilities in widespread software and silently installing additional malware on PCs.

For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online, TeslaCrypt and others. Angler was also used to propagate the Neverquest banking trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group.

As research conducted by Kaspersky Lab security experts has showed, the Angler exploit kit was originally created for a single purpose: to provide the Lurk group with a reliable and efficient delivery channel, allowing their banking malware to target PCs. Being a very closed group, Lurk tried to accumulate control over their crucial infrastructure instead of out-sourcing some parts of it as other groups do. But in 2013, things changed for the gang, and they opened access to the kit to all who were willing to pay.

“We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main “business” – cyber-robbing organizations – was decreasing due to a set of security measures implemented by remote banking system software developers. These made the process of theft much harder for these hackers. But by that time Lurk had a huge network infrastructure and a large number of “staff” - and everything had to be paid for. They therefore decided to expand their business, and they succeeded to a certain degree. While the Lurk banking trojan only posed a threat to Russian organizations, Angler has been used in attacks against users worldwide”, - explained Ruslan Stoyanov, Head of Computer incident investigations department.

The Angler exploit kit – its development and support – wasn’t the only Lurk group side activity. Over more than a five year period, the group moved from creating very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft schemes involving SIM-card swap fraud and hacking specialists familiar with the inside infrastructure of banks.

All Lurk group actions during this time were monitored and documented by Kaspersky Lab security experts. 

Read more about how Kaspersky Lab researched the activity of the Lurk group over five years in an article by Ruslan Stoyanov on Securlist.com 

Read more: The Lurk financial cybercrime group: What businesses can learn.  

Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool

At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia
Kaspersky logo

Over Kaspersky

Kaspersky is een internationaal bedrijf dat is opgericht in 1997 en dat is gespecialiseerd in cyberbeveiliging en digitale privacy. Dankzij de uitgebreide bedreigingsintelligentie en beveiligingsexpertise van Kaspersky zijn tot nu toe meer dan een miljard apparaten beschermd tegen opkomende cyberbedreigingen en gerichte aanvallen. Kaspersky transformeert voortdurend haar innovatieve oplossingen en diensten om bedrijven, kritieke infrastructuren, overheden en consumenten wereldwijd te beschermen. Onder het allesomvattende beveiligingsportfolio van Kaspersky vallen toonaangevende endpointbescherming, gespecialiseerde beveiligingsproducten en diensten, evenals Cyber Immune-oplossingen waarmee geavanceerde en evoluerende digitale bedreigingen kunnen worden bestreden. We helpen meer dan 200.000 zakelijke klanten te beschermen wat het belangrijkste voor ze is. Meer informatie vind je op www.kaspersky.nl.

Verwant artikel Information