Lurk

The Lurk banking trojan was discovered in 2012 after an independent researcher reported on infections occurring on computers in a corporate network after users visited one of a number of Russian online information resources. Several encrypted files appeared on the hard drives of these computers after they sent network requests to third-party resources. Lurk is unique in that it only works on systems where it can steal money, targets Russian banks, actively avoids detection, and has improved over time. Lurk's victims include IT organizations within the telecommunications, mass media and news fields, and financial institutions in Russia, including four of Russia's largest banks. Lurk is distributed by drive-by downloads, compromised websites, and across corporate networks via the PsExec utility. This trojan has also been distributed by the Angler exploit kit – suspected of being developed by the same actors as Lurk. In July, Kaspersky reported that Lurk was being downloaded from the Ammyy Admin website through the installer available for download.

The export table from a Lurk sample. Image Source: Dell SecureWorks

In June, Russian law enforcement arrested 50 hackers involved in bank fraud using the Lurk trojan. The group had stolen an estimated $45 million through their activities. The group used Lurk as an Android trojan to mimic the banking app of Russia's largest bank, Sherbank. Interestingly, a week after the arrests, the Angler exploit kit had greatly decreased in activity. Cisco Talos researchers investigated and found links between the trojan's C2 domains and the exploit kit's back-end communication.

Attack stages:

  • Lurk exploits a vulnerability and infects a victim’s system either from visiting a compromised website or through an infection on a local network.
  • The mini module, or the small program designed to download and launch other Lurk modules, is executed on the infected system.
  • The mini module then downloads the prescanner module, a dynamically loaded library designed to prescan the system for banking data, and launches it.
  • If banking data is found, the prescanner module steals the victim's FTP credentials and sends the data back to its C2 server. If no banking data is found, the process terminates.
  • If the process continues, the mini module downloads and launches the core module which connects to the C2 server to receive additional commands and plugins.
  • The core module then snoops on the victim through keylogging and screen captures of the infected system.
  • Using additional modules, Lurk then pilfers money from remote banking systems.

Reporting

  • June 2016: 50 hackers arrested for bank fraud using the Lurk trojan. (Kaspersky)
  • July 2016: Remote Access Software Ammyy Admin used to propagate Lurk trojan. (Kaspersky)
  • January 2017: Russian authorities arrested nine more hackers suspected of being involved in the distribution of the Lurk malware. (Bleeping Computer)

Technical Details

  • Kaspersky's SecureList provides technical details, including IOCs, available here.