Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool

Kaspersky Lab_Hunting Lurk

At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia. It was the largest financial cybercrime group to be caught in recent years. However, this wasn’t the only cybercriminal activity Lurk group has been involved in.

According to analysis of the IT infrastructure behind the Lurk malware, its operators were developing and renting their exploit kit out to other cybercriminals. Their Angler exploit kit is a set of malicious programs capable of exploiting vulnerabilities in widespread software and silently installing additional malware on PCs.

For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire.

Multiple cybercriminal groups involved in propagating different kinds of malware used it: from adware to baking malware and ransomware.

In particular, this exploit kit was actively used by the group behind CryptXXX ransomware —one of the most active and dangerous ransomware threats online— TeslaCrypt and others.

Angler was also used to propagate the Neverquest banking trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group.

As research conducted by Kaspersky Lab security experts has showed, the Angler exploit kit was originally created for a single purpose: to provide the Lurk group with a reliable and efficient delivery channel, allowing their banking malware to target PCs.

Being a very closed group, Lurk tried to accumulate control over their crucial infrastructure instead of out-sourcing some parts of it as other groups do. But in 2013, things changed for the gang, and they opened access to the kit to all who were willing to pay.

“We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main “business” – cyber-robbing organizations – was decreasing due to a set of security measures implemented by remote banking system software developers. These made the process of theft much harder for these hackers. But by that time Lurk had a huge network infrastructure and a large number of “staff” – and everything had to be paid for. They therefore decided to expand their business, and they succeeded to a certain degree. While the Lurk banking trojan only posed a threat to Russian organizations, Angler has been used in attacks against users worldwide,” explained Ruslan Stoyanov, Head of Computer incident investigations department.

The Angler exploit kit – its development and support – wasn’t the only Lurk group side activity. Over more than a five year period, the group moved from creating very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft schemes involving SIM-card swap fraud and hacking specialists familiar with the inside infrastructure of banks.

All Lurk group actions during this time were monitored and documented by Kaspersky Lab security experts.