The notorious Angler Exploit Kit (EK), responsible for the delivery of malware in countless campaigns, was the work of the Lurk cybercrime group which was finally brought to justice in June, Kaspersky Lab has confirmed.
Ruslan Stoyanov, head of the AV vendor’s computer incident investigations department, explained all in a lengthy paper detailing the work of the infamous Russian gang, which has stolen over $45 million from individuals and organizations over a several year period.
It charts their beginnings back in 2011 building the modular Lurk banking trojan, designed to target financial institutions’ remote banking service (RBS) software.
This was a highly organized and professional group, which hid its tracks carefully by using encryption for online communications, and inserted false data when registering domains, for example.
Starting off with just a handful, the number of full-time members grew to a whopping 40 before it was finally shut down, including malware developers, botnet administrators and operators, and others providing “the so-called ‘full cycle’ of malware development, delivery and monetization,” according to Stoyanov.
Angler came about in 2013 as a way to make money once the banks got wise to the group and started to take defensive measures to protect systems, he explained.
Originally developed to deliver the Lurk malware, paid access to the EK was subsequently offered to smaller groups – who were only too keen to work with a group that had by now achieved “almost legendary status” on the Russian cybercrime underground.
“Even though many small and medium-sized groups were willing to ‘work’ with [Lurk], they always preferred to work by themselves. So when Lurk provided other cyber-criminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising,” Stoyanov explained.
“In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations. It didn’t take long for it to become one of the key tools on the criminal2criminal market.”
The Angler EK soon rose to become a prolific tool in the cybercriminals’ arsenal, and holds the dubious record of having exploited the largest number of vulnerabilities of all 22 EKs studied in a new report from Digital Shadows.
“Operators of the Angler exploit kit were reported to have used malvertising, compromised websites and spam emails in order to redirect or direct victims to the exploit kit landing page,” that report claimed. “From these landing pages, vulnerable victims were served exploits and received malicious payloads.”
Ransomware, banking trojans, credential harvesters and click fraud malware are just some of the payloads distributed by Angler, which has been superseded by other EKs like Neutrino since the June arrest of the Lurk group.