Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

50 Hackers Using Lurk Banking Trojan Arrested in Russia

Law enforcement officers have arrested 50 hackers across Russia involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions. Fourteen main participants including the three primary organizers were arrested in the Sverdlovsk region. An estimated $45 million has been stolen by the gang, while a further $30 million loss has been prevented by the police. The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.

Law enforcement officers have arrested 50 hackers across Russia involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions. Fourteen main participants including the three primary organizers were arrested in the Sverdlovsk region. An estimated $45 million has been stolen by the gang, while a further $30 million loss has been prevented by the police. The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.

The hackers had been stealing money from bank accounts in Russia and other countries of the CIS through use of the malicious software known as Lurk. Lurk is an Android trojan that mimics the online banking app for Sberbank, Russia’s largest bank. “It displays a similar login screen to the original app and steals user credentials as soon as the victim tries to authenticate,” reports Zscaler in an analysis published on the same day as the arrests. It can also steal SMS messages and monitor incoming calls in order to defeat one-time passwords and PINs sent by banks as a second authentication factor.

Once Lurk has been installed it is difficult to detect or remove. Visually there is no difference between the Sberbank app and the Lurk trojan. Technically it is difficult to detect because it resides in memory. For persistence, “It registers a broadcast receiver that triggers whenever the victim tries to remove administrator rights of the malware app, locking the android device for a few seconds. As a result, it is not possible to uninstall this malicious app by revoking admin rights.”

About 18 months ago Lurk began to attack Russian banks. It had previously been used against enterprise and consumer systems. Ruslan Stoyanov, head of computer incidents investigation at Kaspersky Lab, said in a statement yesterday, “Our company’s experts analyzed the malicious software and identified the hacker’s network of computers and servers. Armed with that knowledge the Russian Police could identify suspects and gather evidence of the crimes that had been committed.”

Sberbank is the only bank mentioned by Kaspersky, although it notes, “The malicious app also has overlays for third-party apps the user is likely to have on their phone, including secure messaging app WhatsApp, the Google Play app and the VTB 24 banking app.” Tass reports, however, that six Russian banks fell victim to cyber criminals during March and April of this year. About $10.2 million was stolen from Metallinvestbank. “Cybercriminals obtained remote access to Metallinvestbank’s systems and transferred funds to accounts under their control,” says Tass.

There is some confusion over exactly how much has been stolen from which banks over what period. Kaspersky Lab describes “a five-year operation to steal three billion rubles (just shy of $45 million USD) from the country’s largest bank, Sberbank.” It also adds that “Lurk started attacking banks one-and-a-half years ago.”

Tass reports that no money was stolen from Sberbank, but that an FSB spokesperson had said, “the perpetrators have stolen more than 1.7 billion rubles ($25.7 mln) from accounts of Russian financial institutions.” It also adds that the Interior Ministry puts the figure at $45 million: “The damage caused by persons suspected of cybercrimes in Russia has exceeded 3 billion rubles ($45 million), Interior Ministry spokeswoman Irina Volk told TASS on Wednesday.”

What isn’t contested, however, is that Kaspersky Lab assisted the Russian authorities in locating and arresting some 50 hackers that had been using the Lurk trojan on a massive scale.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.