Security researchers have discovered a possible link between the demise of the Angler Kit and a crackdown against the Lurk banking trojan crew.
In June, a group of individuals was arrested in Russia for using Lurk to target Russian banks. Cisco Talos researchers noticed that within a week of the arrests, Angler had disappeared from the threat landscape.
This coincidence prompted the Talos team to look more closely at Lurk, a prolific and profitable trojan that specifically targeted customers of Russian banks. Suspects arrested in June stand accused of stealing around $45 million USD from Russian banks using Lurk.
Lurk was being delivered largely through Angler to victims inside of Russia. Cisco Talos researchers discovered further links after running background checks against a list of more than 125 command and control (C2) domains associated with the Lurk banking trojan.
A registrant account associated with the majority of domains controlling the Lurk botnet also turned up in a list of known associates of the Angler Exploit Kit, as a blog post by Cisco Talos explains:
Approximately 85 per cent of the [Lurk] command and control (C2) domains that were identified were registered to a single registrant account john[.]bruggink@yahoo[.]co[.]uk ... This particular registrant account was of interest because of its role in the back-end communication of Angler. We found a domain registered to this account, wittalparuserigh[.]com, was serving the payloads that were being delivered by one of the Angler exploit servers.
In addition, it was also found to own domains that were associated with redirecting users to Angler instances and finally was found to be hosting the same "default" webpage on some of the C2 infrastructure as the Bedep C2.
Angler was a leading distribution channel for ransomware as well as the Lurk banking trojan. Angler also disappeared for several weeks at the beginning of the year, but this time its departure looks altogether more permanent, since cybercrooks have already moved onto alternative exploit kits (either Rig or Neutrino), "something that was not seen when Angler disappeared at the beginning of this year," the Cisco Talos team notes. ®