On June 2, 2016, in a major police operation in Russia, 50 hackers from the Lurk banking trojan gang were arrested following 86 raids (Security Week here). Their malware was used for bank fraud (especially in Russia) and ransomware all over the world. The full extent of their activities became clear only after their arrest. In today’s post, I’m going to look back at U.S. computer security analysis (especially by Cisco Talos) prior to the arrests by Russia. The post contains an Easter egg relating to attribution of the DNC hack, but that will be a story for a different day.
Profiling of Angler Malware, 2015-16
In late 2015 and 2016, computer security consultants Cisco Talos (among others) were studying the a large and sophisticated crimeware operation referred to in the industry as the Angler exploit kit, then widely used in ransomware. In October 2015, Cisco Talos estimated that the Angler operation was then targeting approximately 90,000 victims per day, and to be generating at least $60 million per annum through identity theft and ransomware.
In an article on October 6, 2015, Cisco Talos estimated Angler’s annual revenue from ransomware at more than $60 million per year with over 180,000 targets per day on their full network (more detailed analysis here):
In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually.
Cisco Talos was then unaware of its connection to the Lurk banking trojan operation, which had been stealing from Sberbank and other Russian banks, and then little known in the West.
On Feb 9, 2016, they reported their discovery that the Angler operation was using hundreds of registered domains with randomly generated names, listing a small simple as shown below, and that all of these random domains were registered under a single email address: yingw90[@]yahoo.com.
A similar observation had been made almost fifteen months earlier (December 9, 2014) at the Dynamoo blog, which had reported a block of contaminated IP addresses at OVH UK containing a list of presumed malicious domains, all of which had identical registrant and registrant email: Gennadiy Borisov in Varna, Romania with registrant email yingw90@yahoo[.]com.
This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware. Specifically, VirusTotal lists badness on the following IPs:
5.196.33.8
5.196.33.9
5.196.33.10
There are also some doubtful looking IP addresses on 5.196.33.15 which may have a malicious purpose. All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.
Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
….. (many more)
Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant Name:Gennadiy Borisov…
Registrant Street1:ul. Lyulyak 5…
Registrant City:Varna..
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Email:yingw90@yahoo.com
Cisco Talos’ research went further. They looked for other metadata associated with yingw90[@]yahoo.com, resulting in definite associations to other recurring metadata: registrant emails john.bruggink@yahoo.co.uk and potrafamin44@gmail.com, registrant name “David Bowers” and domain wittalparuserigh[.]com. These, in turn, associated with dozens of domains, described by Cisco Talos as “an interesting mix of websites including normal looking domains, DGA-like domains, and adult websites”, on which they observed “multiple different threats, such as a Necurs Variant, Kazy, and Lurk”, summarized in the following diagram:
Uplevel Security (pdf pages 20-24), at the Cyber Threat Intelligence Summit February 2015, also linked registrant Gennadiy Borisov of Vadna, Bulgaria with email address yingw90[@]mail.com to a variety of zero-day exploit malware.
Cisco Talos’ next article on Angler malware (March 1, 2016) reported that the operation had begun using .tk domains which were both free and essentially unsupervised:
We have seen a large variety of domains hosting this activity including shadowed domains as well as a large amount of .tk domains. The .tk domains in particular are interesting, during our research we found that anyone can get a .tk domain free of charge. So far, all of these gate domains seem to be hosted on a single IP: 85.93.0.33, we’ll include an attachment linked at the bottom with all the domains we’ve seen registered with this IP.
On April 11, 2016, John Swanson reported another registrant email address associated with the Angler operation: saramarsh29@yahoo[.]com .
Arrest of Lurk Banking Trojan Gang
While Cisco Talos and others were attempting to track down operators of the Angler exploit kit, since 2011, Kaspersky, together with Russian police, had been pursuing the Lurk banking trojan gang, who operated a very sophisticated malware for robbing Sberbank and other Russian banks. Thefts from Russian banks were estimated to exceed $45 million.
This investigation culminated with the arrest of 50(!) hackers in 86 raids by Russian police on June 2, 2016, reported by Security Week as follows:
Law enforcement officers have arrested 50 hackers across Russia involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions. Fourteen main participants including the three primary organizers were arrested in the Sverdlovsk region. An estimated $45 million has been stolen by the gang, while a further $30 million loss has been prevented by the police. The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.
The hackers had been stealing money from bank accounts in Russia and other countries of the CIS through use of the malicious software known as Lurk. Lurk is an Android trojan that mimics the online banking app for Sberbank, Russia’s largest bank. “It displays a similar login screen to the original app and steals user credentials as soon as the victim tries to authenticate,” reports Zscaler in an analysis published on the same day as the arrests. It can also steal SMS messages and monitor incoming calls in order to defeat one-time passwords and PINs sent by banks as a second authentication factor. Once Lurk has been installed it is difficult to detect or remove. Visually there is no difference between the Sberbank app and the Lurk trojan.
The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.
Prior to the arrest of the Lurk banking trojan gang, little was known about it in the West and the incident attracted relatively little coverage even among Western computer security analysts, who were transfixed by the announcement and attribution of the DNC hack to Russian hackers on June 14, 2016, only two weeks after arrest of the Lurk gang (which, in turn, took place only one week after exfiltration of the DNC emails in the Wikileaks archive.)
While other security firms attempted to parse the meagre details on the DNC hack disseminated by Crowdstrike and the DNC, Cisco Talos eagerly analysed fresh information on the Lurk gang’s C2 (command-and-control) domains, compiling, from various sources, a list of more than 125 C2 domains. (Note: I haven’t located a list of these domains or references to any public sources for the list). Cisco Talos quickly determined that the vast majority (85%) of these C2 domains were registered to john.bruggink@yahoo[.]co.uk, which, together with yingw90, were registrant email addresses for the majority of Angler domains.
Cisco Talos reported that “there were clear links between Lurk and Angler, not the least of which was that Lurk was being delivered largely through Angler to victims inside of Russia”. Cisco Talos then watched for the impact of Lurk arrests on use of Angler malware in incident reports. Within a week, they observed that Angler, then “by a large margin, the most prolific, successful, and sophisticated compromise platform related to crimeware”, had “disappeared from the threat landscape”. They also reported almost total disappearance of the Necurs botnet, which they had previously associated with the Angler malware kit:
During the research back in February, we uncovered a couple of C2 domains associated with Necurs that were owned by this same John Bruggink registrant account. Around the same time Lurk went away and Angler disappeared so did the Necurs botnet. This is widely considered the largest botnet in the world and with it several other high profile crimeware threats took a major hit. When Necurs went dark there were significant impacts to both Dridex and Locky distribution with Talos seeing significant decreases for Dridex and Locky respectively. Locky had decreased to such a small level that it looked to have been removed from the landscape all together, it appeared that a major portion of their distribution was reliant on the Necurs botnet in some fashion.’
On August 30, 2016, Kaspersky’s Ruslan Stoyanov subsequently published an insightful account of the rise and fall of the Lurk gang (also see earlier article on structure of Russian crimeware gangs) with more surprising details.
By 2012, they had determined that the Lurk gang had “reverse-engineer[ed]” entire professional banking systems – a job which “cannot easily be undertaken by an amateur hacker”. By the end of 2013, they profiled the group as an “organized group of cybersecurity specialists”, comparing them in purely organizational terms to a “small, software development company”:
But who in their right mind would openly take up illegal work, and who might have the money to finance such activities? In trying to answer these questions, we eventually came to the conclusion that every version of Lurk probably had an organized group of cybersecurity specialists behind it.
We realized that we were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular” members had risen to 40). This team provided the so-called “full cycle” of malware development, delivery and monetization – rather like a small, software development company. At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it.
Kaspersky even provided an organization chart for a financial cybercrime group, which encompassed not just virus programmers, but a department of “money mules” to collect the cash.
During 2014 and 2015, Kaspersky and the Russian police gradually closed in on the Lurk gang, which, according to Stoyanov, had become “careless” or overconfident in their money mule department:
But, either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions. They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money. But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year.
They appear to have been eventually caught by following the money, rather than through attribution of computer malware.
A Surprising Explanation
Stoyanov’s August 30, 2016 article also confirmed Cisco Talos’ surmised association between the Angler exploit kit and the Lurk gang, together with an astonishing backstory: they reported that, beginning in 2013, the Lurk gang had rented the Angler exploit kit to other criminal operations.
Stoyanov speculated that their diversification into malware rental arose because Russian banks had substantially plugged banking cyber-thefts through two factor authorizations and other security measures and that lesser hacking groups had eagerly rented malware from the Lurk gang, which, by then, had “almost legendary status”:
By the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status. Even though many small and medium-sized groups were willing to “work” with them, they always preferred to work by themselves. So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a “product” from the top underground authority did not need advertising. In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations. It didn’t take long for it to become one of the key tools on the criminal2criminal market.
It was in these farm-out applications (e.g. CryptXXX and TeslaCrypt ransomware, the Neverquest banking trojan) that Cisco Talos and others had encountered Angler in the West:
For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online – TeslaCrypt and others. Angler was also used to propagate the Neverquest banking Trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group.
Conclusion
I found the backstory of the rise and fall of the Lurk banking trojan gang interesting on a number of counts.
First, the rise and fall of the Lurk gang seems to me to be a counter-example to the media and U.S. think-tank portrayal of a Russia in which a leaf doesn’t fall (let alone a hacking group operate) except under Putin’s command and control. The Lurk gang clearly operated outside government command-and-control. They stole from Russian banking institutions and, despite the best efforts of Russian police and a very competent computer security firm (Kaspersky), evaded capture for many years. When their end came, it was only through a concerted effort by institutions of Russian civil society. As a police procedural, there seem to be many elements in common with a corresponding Western saga.
Second, while some aspects of the Lurk gang crimeware were specific to them, the general technique of installing malware on target computers to exfiltrate information to command-and-control domains is common to both crimeware and the malware (APT28/Fancy Bear and APT29/Cosy Bear), said by Crowdstrike to have been discovered on the DNC server (which was never turned over to or directly examined by the FBI). I will discuss this topic in a future post. In the meantime, as noted above, there is an Easter egg in today’s post relating to attribution of the DNC hack.