Chalk one up for the good guys. When Russian law enforcement busted a banking malware gang for stealing approximately $45 million from the country's financial services firms, it disrupted several other cybercrime operations in progress.
"For a period of three weeks, the internet was safer, if only for a short time," Nick Biasini wrote on the Cisco Talos research blog.
Malware gangs typically operate on multiple fronts, using different types of malware and incorporating different attack methods. This way, if one avenue of attack gets shut down, the attackers can pivot to other activities and keep going with their criminal moneymaking enterprise.
A successful police bust, on the other hand, can shake up the cybercrime landscape as it shuts down multiple operations. The disruption is only temporary, as other players jockey for position and fill the gap left behind, but it's still a welcome respite.
Russian police arrested 50 people in early June for allegedly using the Lurk banking Trojan to steal 1.7 billion rubles over a five-year period. While the authorities have kept a lot of the details quiet, Cisco Talos researchers found links between the group and the Angler exploit kit, so the police actions appear to have had the side benefit of disrupting the kit.
Until early June, Angler was among the most popular crimeware kits in use, showing up in various web-based drive-by-download attacks, including malvertising. The maintainers regularly updated Angler with new features, such as the capability to bypass Microsoft's Enhanced Mitigation Experience Toolkit, and offered the infrastructure to other cybercriminals under a rent-as-you-go model.
Several security firms noted that Angler effectively disappeared after the cybercrime bust by the Russians. Neutrino is now in the top slot for popular exploit kits.
The common thread between Lurk and Angler is a single yahoo.co.uk email address, according to Cisco Talos. This gang is believed to have used Lurk to mimic the Android app from Sberbank, Russia's largest bank, to steal user credentials, which the group used to loot bank accounts.
Researchers identified 125 domains linked to Lurk's command-and-control infrastructure, and they discovered 85 percent were using the same yahoo.co.uk email address. The address was also one of the three emails associated with the command-and-control infrastructure used by Bedep malware and Angler exploit kit.
Researchers also found the email address associated with domains redirecting users to Angler instances. Some Angler and Bedep servers also had the same "default" page, hinting the domains may have been controlled by a common group.
"There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them," Biasini wrote.
Sign up for CIO Asia eNewsletters.