Experts from Kaspersky Lab confirmed that the Lurk cybercrime Gang developed, maintained and rent the infamous Angler Exploit Kit.

Security experts from Kaspersky Lab have confirmed that the Lurk cybercrime group are the author of the infamous Angler exploit kit. The members of the Lurk cybercrime crew were arrested by Russian law enforcement this summer, according to the experts they also offered for rent the Angler exploit kit that after the arrest disappeared from the exploit landscape.

Law enforcement arrested suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan.

According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan, it has been observed a rapid disappearance of the Angler EK in the wild.

Malware researchers confirmed that the overall traffic related to other EKs shows a drastic fall, around 96% since early April.

The Angler and Nuclear exploit kits rapidly disappeared, likely due to the operations conducted by the law enforcement in the malware industry.

A joint investigation conducted by the Russian Police and the Kaspersky Lab allowed the identification of the individuals behind the Lurk malware. The experts now confirmed that the Lurk group was also responsible for developing and maintaining the Angler exploit kit, that they called “XXX.”

Experts from Kaspersky published a blog post that details how the security firm helped law enforcement in catching the Lurk cybercrime group.

The experts explained that the Lurk gang started renting the Angler Exploit Kit after their fraudulent activities became less profitable.

“In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity. This included developing, maintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver Lurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools.”

“Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” reads the post. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.”

Lurk first appeared on the scene in 2011 when its activities were first spotted by Kaspersky experts. Kaspersky initially determined the Lurk cybercrime group was composed of roughly 15 people. Across the years the number of members of the criminal gang increased to 40.

lurk2

Kaspersky also provided an estimation of the cost for the Lurk infrastructure that reached tens of thousands of dollars per month.

“The criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month.” continues the post.

Pierluigi Paganini