When a company is subject to a cyber attack, the first step is to understand what exactly came from and where, remove the malicious code and, preferably, find and close a vulnerable point in the infrastructure. And only then you can ask the question “who is to blame,” although, alas, quite often it remains completely unanswered. The goal of security solution providers is to detect and investigate threats, provide protection capabilities, and inform customers. The search for cybercriminals should be carried out by law enforcement agencies. To do this, we share the results of our work with them, but there is one caveat.
The knowledge required to defend against malware is somewhat different from the knowledge required for investigation. In the latter case, there is a need to prove the existence of a connection between different incidents, that different malware belongs to the same source - well, in general, something that is not always required to protect clients. It is important to translate information from technical language into legal language. Such work in the Laboratory is carried out by the Computer Incident Investigation Department. They recently shared information about an investigation into the activities of the Lurk group, which targets commercial organizations. Victims of the campaign were infected with a Trojan program of the same name, which was used to steal funds from corporate bank accounts.
This side of the work to combat cybercrime is covered in detail much less often than traditional threat research, and therefore the publication is especially interesting. This text is a brief extract from several publications on Securelist on the topic: starting with a brief study in 2012, and ending with a detailed technical analysis of the Lurk Trojan and a story about a long-term investigation into the activities of the group as a whole.
In June of this year, about 50 suspects were detained, allegedly involved in the theft of 3 billion rubles from the accounts of residents of Russia and the CIS countries. The message from the Ministry of Internal Affairs indicated that numerous thefts had been committed “of funds from the current accounts of legal entities, as well as from correspondent accounts of financial institutions using malicious software.” The “laboratory” provided law enforcement agencies with expert support in the investigation, and, in fact, the arrest itself put an end to the investigation of our experts, which lasted more than five years.
Perhaps the most characteristic moment of the entire story is the story of the very first discovery of part of the Trojan code. These were discovered in 2011 after reports of several cases of theft of funds from corporate bank accounts. The attack technique did not correspond to the highest level of security for software for working with bank transfers of that time: it was enough to modify the bank details in the generated payment orders, after which the money was sent to the accounts of the attackers. The discovered module was very difficult to make work in laboratory conditions. An additional malicious module discovered later that year made it clear that the program was aimed at remote banking systems. But nothing more: the data obtained was enough to protect against a specific version of the code, but not enough to determine the scale of the attack. Among the much more famous financial cyberattacks of that time (ZeuS, SpyEye, Carberp), Lurk was just another dangerous, but not outstanding malware.
The situation became clearer in 2012, when a massive infection of users occurred through popular news resources. Malicious code, not for the first and not the last time, was dragged through the banner network.
Example code of an infected banner
Using Javascript code, a redirect was made to a malicious site, from where an exploit for a vulnerability in Java was distributed to visitors . The malicious code was loaded as an encrypted library directly into the memory of the javaw.exe process - and this was already a rather non-standard approach for attacks of this type. The “disembodied” method is known from the CodeRed and Slammer virus epidemics , but in this case it was used to download the Lurk Trojan. At this stage, the attack got its name due to its fairly effective technologies for covert infection and operation.
Part of the Lurk malware code responsible for loading additional modules.
Despite the fact that more than 300 thousand users were attacked, not all of them received a Trojan in addition. The condition for further exploitation of the security gap was the presence of specialized software for corporate online banking on the infected computer. Looking ahead, I will say that in the end only 60 thousand systems passed through the Lurk command servers, which is relatively small, precisely due to such selectivity.
In 2013, enough evidence emerged to reliably link different versions of malware to each other. The complexity of the malicious code grew, additional modules appeared, and “support” for banking clients expanded. Since we are talking about corporate banking services, there are not so many options for client software, but for each, the authors of the attack had to do quite serious work on studying the principles of operation and reverse engineering the code - not so much complex as long and tedious. At the same time, our experts used mistakes made by members of the criminal group, which made it possible to obtain information about the number of participants and similar data (examples of mistakes, however, are not given in the article, for obvious reasons).
In 2013, the group had about 15 participants; towards the end, the number grew to 40. Some people were responsible for developing malware, others worked on the botnet control system, and others cashed out funds. New experienced developers were sought in various ways, including through banal job advertisements.
At this stage of Lurk’s work, almost everything was automated: infection and further transfer of funds to dummy accounts, even the distribution of money for subsequent cashing out required almost no human intervention.
The "Golden Age" ended quite quickly. Already in 2014, the group began to experience a shortage of funds. From the outside, this was noticeable by the expansion of the circle of potential victims up to ordinary users; more and more often, criminals went into business with a relatively small potential sum. The reason for this was changes in the field of security of banking software. Vendors have stopped posting demo versions of products on the website, and it has become more difficult to obtain new versions for study. Technologies have emerged to counter the simplest method of automatically replacing bank details. The attackers even tried to obtain a copy of the programs for study through a dummy legal entity. At that moment, on the “Laboratory” side, they saw all the new versions of malicious modules, could quickly analyze them and update the protection systems for clients. Meanwhile, maintaining an extensive infrastructure to support the campaign each month cost, according to our experts, tens of thousands of dollars.
Business diversification began: the Angler exploit pack appeared, which was used to make money on the criminal-to-criminal market. By the way, it is the group’s most famous product outside of Russia: at different times, new versions of the pack were analyzed by specialists from many anti-virus campaigns. In June of this year, several independent sources confirmed that Angler’s activities had been completely stopped, which coincided with the arrest of the suspects.
The final attempt to expand the scope of the cybercriminal business was manual attacks on banking systems. “Avtozaliv” has not worked for a long time; the Lurk toolkit was used to penetrate the victim’s infrastructure - and then it depends. By that time, our experts had discovered the operating methodology of the Carbanak campaign, which specialized in banks and large companies, and at the same time discovered attacks of a similar nature, using different, but long-familiar malicious tools.
According to our experts, although Lurk’s attacks continued until the spring of 2016, there were organizational problems within the group, including those that did not have the best effect on compliance with secrecy. Especially at the most vulnerable stage of work - when cashing out money. The number of front companies for the transfer of stolen property was limited, and in the end it was possible to collect enough technical expertise and evidence to arrest the suspects.
A full description of the Lurk malicious modules is in this article, but here I will present only the most interesting features.
The majority of victims were infected (in the later stages of work) using the Angler exploit pack, through hacking of a popular or specialized website (accounting forums were often targeted), directly or through third-party banners or affiliate elements. But, if an “uninteresting” system in an “interesting” organization turned out to be infected, reconnaissance was carried out over the local network, and penetration was carried out, including using the absolutely legitimate psexec utility.
The main body of the malware (core module) was downloaded only onto suitable systems. If the required target software was not detected, the scout modules were removed, but before that, passwords for the ftp servers could be stolen from the corresponding clients. The main module did not have hardcoded command server addresses. They were calculated (more precisely, generated from both sides) based on indirect information, for example, using data on current stock exchange quotes.
In later versions of Lurk, keyboard interception is implemented, but only when working in a specific program. In some cases, the video stream of screen content was intercepted.
This spring there was a whole series of reports about successful attacks on the SWIFT interbank transfer system. Few details are known about these attacks, and it is not certain that they will be shared in the near future. Our analysis of Lurk provides an explanation for this slowness: this is due to the need to collect a large amount of technical data, and due to the peculiarities of interaction with law enforcement agencies (once again, detecting a malicious attack is easier than investigating everything to the end). One point from the technical analysis of Lurk, I assume, will be repeated more than once in other investigations of similar attacks: it is possible to reliably protect clients of financial systems only if the protection is also implemented on the server side. In other words, the solution to the problem of this type of cyber-attack is to work together (in the case of Lurk, this includes the vendor of security solutions, software developers, banking organizations, their clients, and law enforcement agencies).
Disclaimer: This column is based on real events, but still reflects only the personal opinion of its author. It may or may not coincide with the position of Kaspersky Lab. It depends on your luck.
The knowledge required to defend against malware is somewhat different from the knowledge required for investigation. In the latter case, there is a need to prove the existence of a connection between different incidents, that different malware belongs to the same source - well, in general, something that is not always required to protect clients. It is important to translate information from technical language into legal language. Such work in the Laboratory is carried out by the Computer Incident Investigation Department. They recently shared information about an investigation into the activities of the Lurk group, which targets commercial organizations. Victims of the campaign were infected with a Trojan program of the same name, which was used to steal funds from corporate bank accounts.
This side of the work to combat cybercrime is covered in detail much less often than traditional threat research, and therefore the publication is especially interesting. This text is a brief extract from several publications on Securelist on the topic: starting with a brief study in 2012, and ending with a detailed technical analysis of the Lurk Trojan and a story about a long-term investigation into the activities of the group as a whole.
In June of this year, about 50 suspects were detained, allegedly involved in the theft of 3 billion rubles from the accounts of residents of Russia and the CIS countries. The message from the Ministry of Internal Affairs indicated that numerous thefts had been committed “of funds from the current accounts of legal entities, as well as from correspondent accounts of financial institutions using malicious software.” The “laboratory” provided law enforcement agencies with expert support in the investigation, and, in fact, the arrest itself put an end to the investigation of our experts, which lasted more than five years.
Start
Perhaps the most characteristic moment of the entire story is the story of the very first discovery of part of the Trojan code. These were discovered in 2011 after reports of several cases of theft of funds from corporate bank accounts. The attack technique did not correspond to the highest level of security for software for working with bank transfers of that time: it was enough to modify the bank details in the generated payment orders, after which the money was sent to the accounts of the attackers. The discovered module was very difficult to make work in laboratory conditions. An additional malicious module discovered later that year made it clear that the program was aimed at remote banking systems. But nothing more: the data obtained was enough to protect against a specific version of the code, but not enough to determine the scale of the attack. Among the much more famous financial cyberattacks of that time (ZeuS, SpyEye, Carberp), Lurk was just another dangerous, but not outstanding malware.
Infection of popular news sites
The situation became clearer in 2012, when a massive infection of users occurred through popular news resources. Malicious code, not for the first and not the last time, was dragged through the banner network.
Example code of an infected banner
Using Javascript code, a redirect was made to a malicious site, from where an exploit for a vulnerability in Java was distributed to visitors . The malicious code was loaded as an encrypted library directly into the memory of the javaw.exe process - and this was already a rather non-standard approach for attacks of this type. The “disembodied” method is known from the CodeRed and Slammer virus epidemics , but in this case it was used to download the Lurk Trojan. At this stage, the attack got its name due to its fairly effective technologies for covert infection and operation.
Part of the Lurk malware code responsible for loading additional modules.
Despite the fact that more than 300 thousand users were attacked, not all of them received a Trojan in addition. The condition for further exploitation of the security gap was the presence of specialized software for corporate online banking on the infected computer. Looking ahead, I will say that in the end only 60 thousand systems passed through the Lurk command servers, which is relatively small, precisely due to such selectivity.
Organization
In 2013, enough evidence emerged to reliably link different versions of malware to each other. The complexity of the malicious code grew, additional modules appeared, and “support” for banking clients expanded. Since we are talking about corporate banking services, there are not so many options for client software, but for each, the authors of the attack had to do quite serious work on studying the principles of operation and reverse engineering the code - not so much complex as long and tedious. At the same time, our experts used mistakes made by members of the criminal group, which made it possible to obtain information about the number of participants and similar data (examples of mistakes, however, are not given in the article, for obvious reasons).
In 2013, the group had about 15 participants; towards the end, the number grew to 40. Some people were responsible for developing malware, others worked on the botnet control system, and others cashed out funds. New experienced developers were sought in various ways, including through banal job advertisements.
At this stage of Lurk’s work, almost everything was automated: infection and further transfer of funds to dummy accounts, even the distribution of money for subsequent cashing out required almost no human intervention.
No money
The "Golden Age" ended quite quickly. Already in 2014, the group began to experience a shortage of funds. From the outside, this was noticeable by the expansion of the circle of potential victims up to ordinary users; more and more often, criminals went into business with a relatively small potential sum. The reason for this was changes in the field of security of banking software. Vendors have stopped posting demo versions of products on the website, and it has become more difficult to obtain new versions for study. Technologies have emerged to counter the simplest method of automatically replacing bank details. The attackers even tried to obtain a copy of the programs for study through a dummy legal entity. At that moment, on the “Laboratory” side, they saw all the new versions of malicious modules, could quickly analyze them and update the protection systems for clients. Meanwhile, maintaining an extensive infrastructure to support the campaign each month cost, according to our experts, tens of thousands of dollars.
Business diversification began: the Angler exploit pack appeared, which was used to make money on the criminal-to-criminal market. By the way, it is the group’s most famous product outside of Russia: at different times, new versions of the pack were analyzed by specialists from many anti-virus campaigns. In June of this year, several independent sources confirmed that Angler’s activities had been completely stopped, which coincided with the arrest of the suspects.
The final attempt to expand the scope of the cybercriminal business was manual attacks on banking systems. “Avtozaliv” has not worked for a long time; the Lurk toolkit was used to penetrate the victim’s infrastructure - and then it depends. By that time, our experts had discovered the operating methodology of the Carbanak campaign, which specialized in banks and large companies, and at the same time discovered attacks of a similar nature, using different, but long-familiar malicious tools.
According to our experts, although Lurk’s attacks continued until the spring of 2016, there were organizational problems within the group, including those that did not have the best effect on compliance with secrecy. Especially at the most vulnerable stage of work - when cashing out money. The number of front companies for the transfer of stolen property was limited, and in the end it was possible to collect enough technical expertise and evidence to arrest the suspects.
Some technical features
A full description of the Lurk malicious modules is in this article, but here I will present only the most interesting features.
The majority of victims were infected (in the later stages of work) using the Angler exploit pack, through hacking of a popular or specialized website (accounting forums were often targeted), directly or through third-party banners or affiliate elements. But, if an “uninteresting” system in an “interesting” organization turned out to be infected, reconnaissance was carried out over the local network, and penetration was carried out, including using the absolutely legitimate psexec utility.
The main body of the malware (core module) was downloaded only onto suitable systems. If the required target software was not detected, the scout modules were removed, but before that, passwords for the ftp servers could be stolen from the corresponding clients. The main module did not have hardcoded command server addresses. They were calculated (more precisely, generated from both sides) based on indirect information, for example, using data on current stock exchange quotes.
In later versions of Lurk, keyboard interception is implemented, but only when working in a specific program. In some cases, the video stream of screen content was intercepted.
This spring there was a whole series of reports about successful attacks on the SWIFT interbank transfer system. Few details are known about these attacks, and it is not certain that they will be shared in the near future. Our analysis of Lurk provides an explanation for this slowness: this is due to the need to collect a large amount of technical data, and due to the peculiarities of interaction with law enforcement agencies (once again, detecting a malicious attack is easier than investigating everything to the end). One point from the technical analysis of Lurk, I assume, will be repeated more than once in other investigations of similar attacks: it is possible to reliably protect clients of financial systems only if the protection is also implemented on the server side. In other words, the solution to the problem of this type of cyber-attack is to work together (in the case of Lurk, this includes the vendor of security solutions, software developers, banking organizations, their clients, and law enforcement agencies).
Disclaimer: This column is based on real events, but still reflects only the personal opinion of its author. It may or may not coincide with the position of Kaspersky Lab. It depends on your luck.
