Luuuk Trojan snatches €500,000 from European bank in one week

In only seven days, over half a million euros were stolen from a European bank's customers courtesy of a new banking Trojan campaign.
Written by Charlie Osborne, Contributing Writer
credit cnet
Credit: CNET

A European bank lost €500,000 in the course of only seven days due to a new financial fraud campaign.

Security experts at Kaspersky Lab’s Global Research and Analysis Team discovered evidence of the cybercrime campaign and found that 190 clients in two countries belonging to a single European bank, as of yet unnamed, suffered the theft which was first detected on 20th January this year.

Most of the victims are located in Italy and Turkey, and according to log files that included events from bots reporting to a command and control (C&C) web panel, sums stolen from each bank account ranged from 1,700 to 39,000 euros. The team says it is likely thefts were managed automatically, and fraudulent transactions were carried out as victims logged into their online bank accounts.

According to the logs used by the attackers, the targeted attack lifted the funds from individual accounts in only seven days through the use of the Luuuk Trojan. A C&C server and accompanying control panel revealed the use of malicious software, although the security experts are unsure whether Luuuk is a completely new type of software, or a heavily modified version of another Trojan.

The reason for the confusion is simple: Two days after Kaspersky discovered the C&C server, "every shred of evidence" that could have been used to trace the campaign was removed by the cybercriminals. However, this is believed to have taken place due to changes in technical infrastructure used within the campaign rather than as a signal criminal activities were over.

Vicente Diaz, Principal Security Researcher at Kaspersky Lab said:

On the C&C server we detected, there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations, including Citadel, SpyEye, and IceIX, have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims.

The money was siphoned away through the use of "money mules" or dummy accounts, where different "drop" groups received varying amounts of money. One group transferred 40-50,000 euros; another with 15-20,000; and the third held no more than 2,000 euros. Diaz explained:

These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each 'drop' type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash.

The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust; the more money a 'drop' is asked to handle, the more he is trusted.

Soon after the C&C server was detected, Kaspersky contacted the bank and law enforcement agencies, submitting their evidence to relevant parties. The server was shut down shortly after the investigation began, but this does not mean the campaign is over.

Editorial standards