Hackers have stolen over €500,000 from a European bank using the mysterious Luuuk Trojan. The seven-day fraud campaign was discovered on Jan. 20 by cybersecurity firm Kaspersky.
Attackers stole between 1,700 and 39,000 euros each from about 190 victims, mostly in Italy and Turkey, using a “Man-in-the-Browser” campaign and a trojan which may be a Zeus variation. Kasperky did not identify the victimized bank.
Kaspersky discovered the attack after detecting events from bots reporting to a command and control panel among log files on a suspicious server. The sensitive components were removed by the attackers on Jan. 22, but according to a post on its website, Kaspersky believes that the attack did not end, but simply changed infrastructure.
The specific malware program used in the attack is uncertain, and could be new, but because log files indicate that usernames, passwords and OTP codes were stolen in real-time. Kaspersky analysts believe it could be Zeus variations with this capability which are “well-known in Italy” such as Citadel, SpyEye, or IceIX.
“We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.
Zeus has been used to carry out fraud against banks in the past, including a high profile US case which lead to the arrest of 37 people in 2010.
The attack transferred money to “mule” accounts in four different groups, each with limits on the amount it could accept. The structure of these groups indicates a sophisticated criminal organization.
“We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash,” said Diaz. “The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a “drop” is asked to handle, the more he is trusted.”
Kaspersky claims that its fraud prevention platform can defend against future Luuuk attacks, but the structure of the campaign, the unidentified malware, and the speed of withdrawal when discovered are cause for concern for banks, not to mention the successful theft itself.
Kaspersky identified a rash of fake mobile antivirus apps in May, in another new and sophisticated twist on a traditional cyber attack type.