Yesterday, the Russian-based security company, Kaspersky Lab, officially confirmed that the cyber gang behind the notorious Lurk banking Trojan is the same gang responsible for the creation of the Angler exploit kit (EK). Before it disappeared, Angler was ranked #1 on the most popular EKs list in the world.
50 people were arrested and 18 were detained, by Russian police at the end of May, for being a part of the huge Lurk banking Trojan distribution campaigns. Since 2011, Lurk developers managed to steal more than $45 million (3 billion rubles) from Russian banks and other financial institutions.
At first, the Lurk banking Trojan was hitting mostly Russian banks which were using a Remote Banking Software (RBS) but played a very important role not only in the Russian financial market but worldwide.
Two years after its appearance on the malware stage, together with other RBS threats like the Carberp gang`s product, RBS software vendors and banks introduced more security measures in the global money transferring process. While banks started using a two-step verification and off-site authentication codes, RBS authors stopped demos of their products for free.
These adjustments happened at the same time Kaspersky researchers detected the Angler EK first version. This was also around the time the Lurk profits went down. The experts assumed that the cybercriminals behind the Lurk Trojan, which were managing a big team of malware developers, money mules, spammers, had to find another tool to help them pay their workers.
While until that moment, this toolkit has only been used by their own operators before they decided to make it available for rent to other criminal gangs to spread it via drive-by downloads. The toolkit was given the name Angler by the security companies that analyzed it.
The Angler EK is a complex Web-based software package which finds users running vulnerable software, utilizing scripts on special servers called “gates”.
When they find a worthy victim, these scripts redirect them to the Angler webpage, where the EK relies on Flash, JavaScript or Java objects to infect the victim`s web browser or OS. In this way, Angler could easily drop a malevolent payload on the targeted machine.
Even though this method was created to infect RBS software running PCs with the Lurk banking Trojan, after 2013, the devs started to use it for other types of malware`s distribution as well.
Angler was world`s most famous exploit kit. It was used to deliver all types of malware, including banking Trojans, adware, ransomware, etc. Some of its most major campaigns were the distribution of the CryptXXX and TeslaCrypt pieces of ransomware as well as the Neverquest banking Trojan
“The Lurk gang did not make […] blunders. Yet mistakes, seemingly insignificant and rare, still occurred. And when they did, we caught them.” – the Kaspersky team stated yesterday, once again proving their role in exposing the crooks.
Thanks to these mistakes, the Lurk/Angler criminal gang was arrested and the end of May and by the middle of June, the Angler EK seemed to have disappeared from the EK market. Even if an official announcement was made neither from Kaspersky nor from the Russian police until yesterday, most people already assumed that the arrests from May and the Angler demise were connected.
