跳到主体内容

Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool

2016年8月30日

At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia

At the beginning of the summer, Kaspersky Labassistedin the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia. It was the largest financial cybercrime group to be caught in recent years. However, this wasn’t the only cybercriminal activity Lurk group has been involved in. According to analysis of the IT infrastructure behind the Lurk malware, its operators were developing and renting their exploit kit out to other cybercriminals. Their Angler exploit kit is a set of malicious programs capable of exploiting vulnerabilities in widespread software and silently installing additional malware on PCs.

For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online, TeslaCrypt and others. Angler was also used to propagate the Neverquest banking trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group.

As research conducted by Kaspersky Lab security experts has showed, the Angler exploit kit was originally created for a single purpose: to provide the Lurk group with a reliable and efficient delivery channel, allowing their banking malware to target PCs. Being a very closed group, Lurk tried to accumulate control over their crucial infrastructure instead of out-sourcing some parts of it as other groups do. But in 2013, things changed for the gang, and they opened access to the kit to all who were willing to pay.

“We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main “business” – cyber-robbing organizations – was decreasing due to a set of security measures implemented by remote banking system software developers. These made the process of theft much harder for these hackers. But by that time Lurk had a huge network infrastructure and a large number of “staff” - and everything had to be paid for. They therefore decided to expand their business, and they succeeded to a certain degree. While the Lurk banking trojan only posed a threat to Russian organizations, Angler has been used in attacks against users worldwide”, - explained Ruslan Stoyanov, Head of Computer incident investigations department.

The Angler exploit kit – its development and support – wasn’t the only Lurk group side activity. Over more than a five year period, the group moved from creating very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft schemes involving SIM-card swap fraud and hacking specialists familiar with the inside infrastructure of banks.

All Lurk group actions during this time were monitored and documented by Kaspersky Lab security experts. 

Read more about how Kaspersky Lab researched the activity of the Lurk group over five years in an article by Ruslan Stoyanov on Securlist.com 

Read more: The Lurk financial cybercrime group: What businesses can learn.  

Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool

At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻