Banking Trojan Lurk distributed with official software running in many large Russian banks

Published on August 02, 2016

Banking Trojan Lurk distributed with official software running in many large Russian banks

    The creators of the malicious software that stole billions of rubles from Russian banks have uploaded it to the official website of the developer of remote control of computer systems.




    Today, the details of the investigation into the case of theft by criminals of more than 1.7 billion rubles from the accounts of clients of Russian banks over five years have become known. The criminal case is a community of hackers from 15 regions of Russia who used the Lurk Trojan to hack banking networks, Kommersant writes . Information security experts involved in the investigation believe that the system administrators of banks' IT departments are indirectly responsible for the incident. They contributed to the penetration of the virus into corporate networks by downloading Trojan-infected software from the Network.

    Investigators of the investigative department of the Ministry of Internal Affairs of the Russian Federation have established possible methods of spreading the virus through banking networks. The situation became somewhat clearer after in June about 50 attackers from 15 regions of Russia were involved in the abduction of 1.7 billion rubles from Russian banks. The same group of cybercriminals, according to the investigation, was involved in attempts to withdraw another 2.2 billion rubles. The actions of the criminal group suffered, in particular, the Moscow banks Metallinvestbank and the bank "Garant-invest", as well as the Yakut bank "Taata".

    The penetration into the network of banks was carried out with the help of the Lurk trojan, which is developed by representatives of the detained group. The main members and leaders of the group are residents of the Sverdlovsk region. 14 members of the group were detained in Yekaterinburg and taken to Moscow. Prospective community leaders are Konstantin Kozlovsky and Alexander Eremin.

    Investigators believe that community representatives have implemented the Lurk Trojan program using Ammyy Admin software. The investigation is assisted by Kaspersky Lab, which published a special report with the results of an analysis of the incident. It should be noted that during the investigation, Kaspersky Lab worked together with Sberbank specialists. The report indicates that the attackers used two main ways of spreading the virus. The first is the use of exploit packs, the second is working with hacked sites. In the first variant, the distribution of the malware through specialized sites was used: specialized news sites with hidden links to virus files and accounting forums. The second option is hacking the Ammyy website and infecting software for remote work directly from the manufacturer’s website. Ammyy’s clients are the Ministry of Internal Affairs of the Russian Federation, “Russian Post”,

    Kaspersky Lab specialists found that the program file on the Ammyy website does not have a digital signature. After launching the downloaded distribution, the executable file created and launched two more executable files: this is the utility installer and the Trojan-Spy.Win32.Lurk Trojan. Representatives of the criminal group used a special algorithm for checking the identity of the infected computer on the corporate network. The check was done by a modified php script on the server of the Ammyy Group.

    According to investigators, the virus was most likely launched by IT staff of the affected companies. The wines of the experts are indirect, since they could have been unaware of the infection of the software distribution kit downloaded from the official server of the developer company. It also turned out that after the detention of a group of suspects, the contents of the distributed distribution changed. So, from the site, the Trojan-PSW.Win32.Fareit program began to spread, stealing personal information, and not the Lurk Trojan. “This suggests that for a certain fee, the attackers behind Ammyy Admin burglary offer a“ place ”in Trojan-dropper for distribution from ammyy.com,” the report of Kaspersky Lab reported.

    According to information security experts, such incidents can be avoided using the procedure for controlling the use of third-party software.

    “We do not use remote administration programs in our activities. It is prohibited and strictly controlled. And any ready-made software products undergo a comprehensive security check, which allows to exclude the presence of hidden codes, ”said the press service of the Ural Bank of Sberbank of the Russian Federation.


    In some banks in the Russian Federation, including the Ural Bank for Reconstruction and Development (UBRD), the use of external solutions for remote control of workstations is prohibited.