Russia's FSB says it's tagged the gang that used the “Lurk” trojan to raid 1.7 billion roubles – about US$25 million – from financial institutions.
Lurk was identified in 2012. At the time, Kaspersky Labs said it was a “fileless” Trojan that ran in RAM. Instead, it “uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.“
Reuters says around 50 people have been arrested, and 18 of those are being held in custody in Moscow pending further investigation.
As well as their successful heist, the attackers issued false payment instructions worth more than 2 billion roubles, but those were blocked.
Only one of the victim institutions was named – Sberbank, which the interior ministry described as Russia's largest bank in terms of assets held.
The FSB issued a statement (translate this link) saying it also seized “computer equipment, communications equipment, banking cards issued on the nominees, as well as financial documents and large sums of cash, confirming the illegality of their activities.”
Kaspersky's ThreatPost says the Russian gang's attacks started 18 months ago. After it's injected into the victim's processes, Lurk fetches further malware from C&C servers, and Kaspersky says the attackers used a compromised VPN to make their campaign harder to detect.
The Lurk attack was a separate campaign to the Android SMS malware-slinging attacks on Sberbank last year. ®