Following the news that Russian police arresting 50 hackers. Two Russian deep web experts provide below an insight on this news.
- Leo Taddeo, CSO of Cryptzone and former FBI Special Agent in Charge of the NY Cybercrimes division.
- Vitali Kremez, Cybercrime Intelligence researcher at Flashpoint.
Leo Taddeo, Chief Security Officer at Cryptzone:
Vitali Kremez, Cybercrime Intelligence researcher at Flashpoint:
Based on the malware analysis, Lurk appears to be a downloader malware type, capable of installing any additional malware of choice on the infected machins. Similar to KINS, also known as ZeusVM, this variant appears to expect configuration files from the command and control (C2) server in the form of images with interesting anti-forensics obfuscation routines.
The propagation methods appear to include drive-by downloads from Exploit Kits (EK).
While the investigation discloses the arrest of the 50 hackers connected with their targeting of the Russian financial institutions, it is more likely that most of the individuals appear to be money mule operators supporting the criminal operation rather than the hackers working in concert based on the video from Ekaterinburg, Russia.
Because of Lurk being used as a downloader malware, the true extent of the campaign and its targeting is yet unknown and to be determined. The actual unidentified banking trojan is alleged to be installed post-Lurk infection.
The malware developers appear to be highly sophisticated and capable of developing malware to avoid anti-virus detection and stay on the system for quite some time.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.