Ruslan Stoyanov was right: what could be history's most advanced financially-driven malware was the progeny of some 50 jailed hackers known as the Lurk group.
It is a finding that solves the mysterious demise of the world's most capable exploit kit and one of the biggest threats to end users on the internet.
Kaspersky's head of investigation told The Register as part of our investigation into the demise of Angler earlier this month he suspected the group was collared as part of the unprecedented arrests by Russia of members of the Lurk banking trojan group.
Few top intelligence community sources knew anything concrete of Angler's fate other than activity using the kit crashed to a halt on 7 June, the same time the Lurk group was arrested.
During that investigation, Stoyanov, who has clocked many years of experience as a malware investigator in the private sector and for Moscow's Cyber Crime Unit, rightly suspected Lurk actors had rented out Angler to other criminals as a "kind of side business".
His new analysis, published today, the epilogue to some six years of research that helped lead to the downfall of the Lurk hacking group, demonstrates his earlier theory correct.
Angler, he says, was the brainchild of Lurk group, brewed as a means to buoy falling revenues from their flagship trojan.
All told Lurk group stands accused of stealing some 3 billion rubles (US$46 million, £35 million, A$61 million).
At its then peak, Angler was behind a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually for its authors.
The lauded and prolific Kaspersky research team says it learned more from the investigation into Lurk than "any other".
The group counts the discovery of the Equation Group, an entity strongly suspected of being part of the NSA's offensive tailored access operations wing, as one of its most high profile recent collarings. It also helped reveal the ultra sophisticated Flame malware and offered early analysis of the Stuxnet worm.
Angler, Stoyanov says, was initially a means to deliver the Lurk banking trojan and developed into a highly-profitable money-making operation.
Go for broke
Lurk shook the blindsided Russian banking sector since it made its debut sometime around 2011.
The group dominated the small number of remote banking software vendors which Russian banks used to make payments. The malware once installed on a bank's network would search for the presence of the software and if found would download and install a custom malicious addon that could create unauthorised payment orders.
"This level of automation became possible because the cybercriminals had thoroughly studied how the banking software operated and tailored their malicious software modules to a specific banking solution," Stoyanov says.
The software vendors could not keep up. They were issuing weekly patches to customers that would last a few days before Lurk authors would find another attack vector to undermine it.
Angler activity drops dead. Image: F-Secure
Vendors restricted who had access to their software in a bid to turn the patch battle.
Eventually the beleaguered banks and software vendors asked Kaspersky for help and turned over their systems for analysis. This offered researchers a rare trove of malware samples and intelligence on the group they had previously been unable to acquire.
Lurk's operational security was tight, but a few blunders were enough to reveal that Stoyanov and his team were up against some 15 talented black hats, a crew that would grow to more than 50 by the time the hacker group was arrested.
The Lurk gang were a professional, skilled group which developed an equally impressive trojan.
"Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status," Stoyanov says. "Even though many small and medium-sized groups were willing to work with them, they always preferred to work by themselves."
Lurk group came to power in the fall of Carberp, the former dominant player in the Russian black hat fraud scene, and quickly outshone its predecessor.
Like any popular tech prodigy, its fans were eager to consume its products. Angler, a means to help revitalise ebbing revenues, virtually sold itself.
"So when Lurk [group] provided other cyber criminals with access to Angler, the exploit pack became especially popular – a product from the top underground authority did not need advertising," Stoyanov says.
Customers were treated to a battery of fresh, clean exploits, some zero day, through which the world's end users were compromised. Flash, Java, and Silverlight were regularly hacked, while security defences were foiled and frustrated by a battery of complex obfuscation tricks including file-less infection and bypassing of Microsoft's lauded EMET security tool.
The number of victims from the constant bombardment of Angler attack campaigns were measured in millions as malvertising and silent drive-by downloads were delivered through some of the most sophisticated fraud infrastructure ever seen; only those users who could be compromised, were, limiting the chance attacks would be seen and disrupted by security researchers.
A series of gateways, hacked servers, and fast flux networks made it difficult to stop Angler by technological means, and the rise of ransomware only served to increase the financial impact wrought by the net menace.
With Angler dead, Neutrino has risen. The felling of the great leviathan tears open the canopy allowing the estimated 70 rival exploit kits to bloom.
In the weeks after Angler's end, Neutrino doubled its monthly asking price from US$3500 to US$7000, and began incorporating the rapid deployment of zero day and new exploits into its offerings, standing on the shoulders of its fallen foe.
All that really remains is for Russia to parade its win. It is odd that the Krelim has yet to do so, considering that it like many countries enjoys wheeling out black hat hackers in front of press.
"My personal experience of the Lurk investigation made me think that the members of this group were convinced they would never be caught," Stoyanov says. "They had grounds to be that presumptuous: they were very thorough in concealing the traces of their illegal activity, and generally tried to plan the details of their actions with care, however, like all people, they made mistakes." ®