Russian banker trojan 'Lurk' flies under radar, picked up by researchers

Kaspersky Lab researchers spotted a Russian banking trojan, dubbed “Lurk,” that is designed to infect as many victims as possible without drawing the attention of researchers and analysts.

The trojan has targeted financial institutions including Russia's four largest banks, IT organisations working in telecommunications, mass media and news aggregators, according to a 10 June blog post.

Lurk has existed for more than five years and is spread via drive-by-downloads that leverage compromised websites with legitimate software to deliver Angler Exploit packs known as “XXX,” the post said. The trojan actively resists detection and researchers said the use of targeted attacks make it difficult to get new samples quickly.

Users need not do anything in particular to become infected, the post said.

“Lurk is a versatile banker Trojan – it can steal money not only from the iBank 2 system that is used by many Russian banks but also from the unique online banking systems of some large Russian banks,” researchers said in the post.

Researchers believe a team of professional developers and testers is working on the trojan project based on the methods of internal organisation used in the malware, its feature set, and the frequency with which it is modified.

The trojan is constantly being updated, and only works on computers where it can steal money and researchers said it is distinct because it stores its malicious code in the victim's random access memory (RAM) instead of on the victim's computer, according to a 1 June press release.

Researchers recommended users ensure the safety of their systems by regularly training employees on information security rules and norms, maintaining competent design and administration of an organisation's local area networks, and by using modern security software that is regularly updated.