Cisco Eyes Ties Between Angler and Lurk MalwareRussia's Arrests of Lurk Gang Likely Took Bite Out of Crime
Cisco's Talos research unit says it has found evidence of ties between operators of the Angler exploit kit and a group of Russians that used the Lurk malware to loot banks in the country.
The finding may help explain why the Angler exploit kit effectively disappeared after Russia arrested 50 people for allegedly pilfering 1.7 billion rubles ($25.5 million) from several Russian financial services firms over a five-year period using Lurk (see Russian Police Bust Alleged Bank Malware Gang).
Computer security experts suspected that the sudden drop-off in attacks using Angler - which until early June was one of the most popular for-rent kits to hack large number of computers - might have been linked with the arrests. But Russia hasn't revealed much about its investigation, leaving much speculation (see Did Russia Put Angler Out of Business?).
Digging further, Cisco says it found a single common email address - firstname.lastname@example.org - was used to register around 85 percent of the 125 domains linked to Lurk's command-and-control infrastructure.
"This particular registrant account was of interest because of its role in the back-end communication of Angler," writes Nick Biasini, a threat researcher at Talos.
The email address was also linked to command-and-control infrastructure for Bedep, which was often the first payload dropped by Angler after a successful attack. Bedep was then used to download other types of malware.
One of Most Significant Cybercrime Arrests?
After Angler disappeared following the arrests, it was also noticed that the Necurs botnet also went offline. Necurs was "widely considered the largest botnet in the world" and was instrumental in distributing the Locky ransomware and the Dridex banking malware.
Talos also found two command-and-control domains linked to Necurs that used the same email account. Necurs only went down for about three weeks, however, and has resumed distributing Locky and Dridex.
When buying a domain name, purchasers must supply contact information, and cybercriminals invariably submit bogus data. Still, even false information can be useful for cybercrime analysts if the same information is reused.
The finding of a single, common email address can be an indicator that seemingly separate activities may be linked. Cybercriminals often get lazy and don't thoroughly scramble every digital trail left. Even if the information is totally false, it can still be useful.
Biasini writes there's no way to be certain that all of the threats are connected. But if there is a connection, "this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars."
Angler 'Not Dead Yet'
Andrew Komarov, chief intelligence officer at InfoArmor, says Angler isn't dead just yet. The main actors are still around and have opted to withdraw the commercial version of Angler from the market given the arrests. A closely held version is still active.
"[The] Angler EK actors have changed their tactics, and concentrated on more private operations," he says.
Meanwhile, those behind the Neutrino exploit kit have stepped into the void. Komarov said that group has raised its price to $7,000 per month. A new "Waves" module for Neutrino can detect if it is attacking a computer running a virtual machine or certain kinds of security software or sandboxes, which causes an attack to stop, he says.
"It is pretty advanced technology, which shows that they are concerned about [researchers or police] tracking them and their infrastructure," Komarov says.