The hidden link between the Angler EK drop and the Lurk gang

Experts from Talos team have found a link between the drop in the Angler Kit usage and the crackdown against the Lurk gang.

Security experts believe to have found a link between the drop in the Angler Kit usage and the crackdown against the Lurk gang.

Law enforcement arrested suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan.

According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan  it has been observed a rapid disappearance of the Angler EK in the wild.

Recently malware researchers observed a spike in the malicious traffic related to Neutrino and RIG EKs Meanwhile the overall traffic related to other EKs show a drastic fall, around 96% since early April.

The Angler and Nuclear exploit kits rapidly disappeared, likely due to the operations conducted by the law enforcement in the malware industry.

Experts from Talos made further investigation of the phenomena, focusing their analysis on the Lurk banking trojan and its operators. The Lurk banking trojan was used by crooks to target customers of Russian banks. The experts analyzed 125 C&C servers used by the gang to manage the Lurk botnet, they discovered that the email used by a registrant of most of the domains used to control the Lurk bots is also linked to domains involved in the campaigns leveraging the Angler Exploit Kit.

“Based on this information we began looking into the Whois records for the domains and found some commonalities. Approximately 85% of the command and control (C2) domains that were identified were registered to a single registrant account john[.]bruggink@yahoo[.]co[.]uk.” states the blog post by Cisco Talos. “That email address should be familiar to those that read our research into Bedep as that was one of the three emails associated with registrant accounts that were tied to it as well as Angler.”

This account is considered by the investigators very important because its role in the back-end communication of the Angler EK. The researchers have spotted a domain registered to this account (wittalparuserigh[.]com) that was used to deliver malicious payloads that were being delivered by one of the Angler exploit servers.

The experts also linked the email to the ownership of multiple domains that were associated with redirecting users to Angler instances.

“This particular registrant account was of interest because of its role in the back-end communication of Angler. We found a domain registered to this account, wittalparuserigh[.]com, was serving the payloads that were being delivered by one of the Angler exploit servers. In addition it was also found to own domains that were associated with redirecting users to Angler instances and finally was found to be hosting the same “default” webpage on some of the C2 infrastructure as the Bedep C2, a sample of which is shown below.” continues the Talos’s analysis.

 

“There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them. If this one group was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars.” closes the Talos Team.