Kaspersky Lab has confirmed that the Lurk cybercrime gang, whose members were arrested by Russian police this summer, developed and rented the notorious Angler exploit kit, which disappeared from the scene shortly after the arrests.
Russian law enforcement announced in early June the arrests of 50 individuals suspected of using the Lurk Trojan to conduct bank fraud. Authorities believe the cybercriminals have stolen tens of millions of dollars from Russian financial institutions.
Police in Russia identified the individuals behind the Lurk malware with the help of experts from Kaspersky Lab, who have now confirmed that the group was also responsible for developing, maintaining and renting the Angler exploit kit, which they called “XXX.”
It had been known that cybercriminals distributed Lurk via Angler, but researchers only started suspecting that there was a connection between the two shortly after the arrests, when gangs that had been exclusively relying on Angler to deliver their malware had turned to other exploit kits.
The French researcher “Kafeine” speculated that there could be a connection between the two and that some actors might be stepping back following the arrests. Cisco Talos researchers also uncovered a link between Lurk and Angler based on an account used to register domains leveraged by both threats.
In a blog post published on Tuesday, Kaspersky’s Ruslan Stoyanov provided details on the hunt for the Lurk gang and confirmed that the group was behind Angler. According to the security firm, the cybercriminals created Angler after banks improved their security systems and they were forced to diversify and expand their business.
Angler was initially used exclusively by the group, but they started renting it to others after their fraud activities became less profitable.
“Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” Stoyanov explained. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.”
The development of Lurk started in 2011 and it soon turned into an operation resembling a small software company. Kaspersky initially determined that a group of roughly 15 people were behind the malware, but the number increased to 40 by the time their activities were shut down by law enforcement.
Experts believe Lurk managers had to pay tens of thousands of dollars every month to maintain their vast network infrastructure, in addition to the money they had to pay their “employees.”
The Lurk gang was highly organized and initially they did not leave any clues that might allow investigators to uncover their real identities. However, they did make some mistakes over the years, which led to their identification and capture.
