Luuuk Malware Steals €550k From European Bank In A Week

A group of cyber criminals was able to steal more than €550,000 (£441,000) from an unnamed European bank at the turn of the year using “mysterious malware”, with all victims in Italy and Turkey, researchers have said.

The Luuuk malware wasn’t actually analysed by Kaspersky Lab researchers, but they did find a log used by the cyber criminals over a week.

The researchers subsequently contacted the bank and law enforcement. An investigation is now underway.

Luuuk – who is your father?

Kaspersky Lab researcher Stefan Tanase said the traces of the command and control infrastructure were found in January, which indicated the crooks set up the operation in December 2013. The operation could have started no later than 13 January.

Between €1,700 and €39,000 were stolen from 190 different accounts with far more victims in Italy than Turkey.

Tanase said the malware was “very mysterious” but appeared to be a man-in-the-browser type malware. He couldn’t rule out the malware being a variant on an older kind of MITB malware, such as Zeus.

“On the C&C server we detected there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims,” added Vicente Diaz, principal security researcher at Kaspersky Lab.

A ‘hit and run’ malware campaign

“This was a hit and run operation,” Tanase added. He believes there were four groups of money mules used in the operation, who were sent the stolen funds from hacked bank accounts to their specially-created accounts before withdrawing money from ATMs and passing it on to the operation’s overlords.

“Most of the time [the criminals in charge] can pick who they like, like a homeless person, and ask them to get a credit card,” Tanase added. “But usually the ones who get caught are the ones at the bottom of the pyramid.”

It appeared the different money mule groups were used to lower the risk of being caught. They were given different limits on how much they could collect, indicating some were more trustworthy than others.

Just two days after Kaspersky found the server, the criminals scarpered and deleted every shred of evidence that might have been used to identify them, the security firm said.

What do you know about Internet security? Find out with our quiz!