Russian Cyberring Busted

Following the news that  Russian police arresting 50 hackers. Two Russian deep web experts provide below an insight on this news.

• Leo Taddeo, CSO of Cryptzone and former FBI Special Agent in Charge of the NY Cybercrimes division.
• Vitali Kremez, Cybercrime Intelligence researcher at Flashpoint.

Leo Taddeo, Chief Security Officer at Cryptzone:

This operation shows what US cyber experts knew all along, that Russia is very capable of finding and stopping cybercriminals operating within their borders.  The remaining question is whether Russia has changed its policy of intransigence on the cybercrime issue for the benefit of US and other victims of Russian cybercrime, or Russian law enforcement targeted this cyber gang because it made the mistake of stealing from a Russian bank.

Vitali Kremez, Cybercrime Intelligence researcher at Flashpoint:

In the aftermath of the disclosed arrest related to the Lurk trojan malware, we have conducted targeted searches related to any Lurk malware samples caught in the wild.

Based on the malware analysis, Lurk appears to be a downloader malware type, capable of installing any additional malware of choice on the infected machins. Similar to KINS, also known as ZeusVM, this variant appears to expect configuration files from the command and control (C2) server in the form of images with interesting anti-forensics obfuscation routines.

The propagation methods appear to include drive-by downloads from Exploit Kits (EK).

While the investigation discloses the arrest of the 50 hackers connected with their targeting of the Russian financial institutions, it is more likely that most of the individuals appear to be money mule operators supporting the criminal operation rather than the hackers working in concert based on the video from Ekaterinburg, Russia.

Because of Lurk being used as a downloader malware, the true extent of the campaign and its targeting is yet unknown and to be determined. The actual unidentified banking trojan is alleged to be installed post-Lurk infection.

The malware developers appear to be highly sophisticated and capable of developing malware to avoid anti-virus detection and stay on the system for quite some time.