Luuuk Campaign Steals €500K from an European bank in one week

Security experts at Kasperky Lab has uncovered the Luuuk banking fraud campaign which stolen half a million euros in a single week from a single bank.

Experts at Kaspersky Labs discovered new banking Trojan dubbed Luuuk which hit the customers of a single European financial institution.

In one week, Luuuk trojan targeted a single European bank, not yet identified, stealing €500,000 from 190 victims in two countries

Italy and Turkey were the countries most hit by Luuuk, all 190 victims have been identified, each victim has been deprived of a sum ranged between €1,700 to €39,000 according to the analyzed log.

Researchers at Kaspesky Lab were not able to isolate any instance of the malware used for the Luuuk campaign, but investigators suspect of Zeus banking Trojan or a heavily-modified version of another trojan.

Stefan Tanase, security researcher at Kasperksy, declared that that Luuuk looks like a completely new piece of malware.

“On the C&C server we detected there was no information as to which specific malware program was  used in this campaign. However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) – have  that necessary capability. We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims,” added Vicente Diaz, Principal Security
Researcher at Kaspersky Lab.

The expert at Kaspersky Lab uncovered the fraudulent campaign on 20 January when the investigators discovered its command and control (C&C) server

“The server’s control panel indicated evidence of a Trojan program used to steal money from clients’ bank accounts at least one week old when the C&C was discovered, having started no later than 13 January, 2014,” reported Kaspersky.

The criminals behind the operation, once discovered that their control infrastructure has been localized, have tried to erase every trace that could have been used by investigators to track them. Experts at Kaspersky believe that the criminals have modified the Luuuk C2 infrastructure.

The cyber criminals have spread the stolen money between several dummy accounts, as explained by Vicente Diaz:

“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each ‘drop’ type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a ‘drop’ is asked to handle, the more he is trusted.”

Diaz has confirmed that Kaspersky Lab has already contacted the targeted bank and the law enforcement agencies:

“Soon after we detected this C&C server, we contacted the bank’s security service and the law enforcement agencies, and submitted all our evidence to them,” added Diaz.

Pierluigi Paganini

(Security Affairs –  Luuuk campaign, Banking Trojan)