Authorities nab group that operated through the Lurk trojan

Jun 2, 2016 13:10 GMT  ·  By

Russian authorities have conducted a large-scale raid that resulted in the arrest of 50 people suspected of being part of a cyber-criminal group that has stolen more than $45 million (3 billion rubles) from banks and other financial companies since 2011.

Russia's FSB (Federal Security Service, formerly KGB) reported yesterday that 18 of the 50 criminals arrested during the raids are currently behind bars.

FSB received assistance during the investigation and raids from the Russian Interior Ministry, Russian security company Kaspersky Labs, and Russia's largest bank Sberbank.

Crooks tried to hide some of their money at the last minute

During the operation, some of the crooks tried to move a large part of their stolen money, but the Russian Interior Ministry managed to stop the transactions, worth $30 million dollars (2,273 billion rubles).

According to the FSB, the raid represented Russia's biggest-ever operation against a cyber-criminal group.

In a press release, Kaspersky Labs provided details about the group's mode of operation, which relied on infecting users with the Lurk trojan.

Crooks used the Lurk banking trojan to steal money from users, banks

Kaspersky says the group hacked into popular Russian news sites and hosted malware on their servers, infecting site visitors via drive-by downloads.

Lurk is a modular trojan that has been used in a variety of ways but is mostly known for collecting banking credentials (a banking trojan), especially for banks in Eastern Europe and the Russian Federation.

The trojan is particularly dangerous because it operates in-memory (inside the computer's RAM, not hard drive), which makes it hard to detect by most antivirus engines.

Crooks leveraged the data gathered by the trojan to steal money from bank accounts. Authorities only named Sberbank in their press release but said that other financial institutions were also targeted. Recently, Sberbank has also been the victim of another banking trojan, but this one targeting Android users.

Kaspersky reveals that the group used TOR, VPNs, compromised Wi-Fi connection points and hacked servers to hide their real IP address when attacking an organization. As for some of these servers, Kaspersky says they belonged to various Russian IT and telecom companies.