Luuuk is the name of a mysterious Trojan that was discovered in early 2014 after having allowed its creators to steal more than €500,000, or about $680,000, in just seven days by performing “Man-in-the Browser” attacks. Kaspersky found the threat on January 20th, and it affected 190 customers of an unnamed bank that operates in Italy and Turkey.
The Luuuk Trojan managed to get online banking login credentials from victims using a malicious web injection, which allowed the program to steal usernames, passwords and OTP codes in real-time.
Then, the malware would automatically check the existing balance and perform several malicious transactions “probably operating in the background of a legitimate banking session.” The money would then be transferred to mule accounts. According to the report, Luuuk stole between €1,700 and €39,000 from each bank account accessed.
Interestingly, the organization in charge of Luuuk set up an advanced mule infrastructure with various transfer caps in order to minimize the risk of a person in the network fleeing with the received money.
Kaspersky only analyzed the server-side of the Luuuk operation, and was not able to actually get the malicious code used on the victims, or the infection vector.
“On the C&C server we detected, there was no information as to which specific malware program was used in this campaign,” Kaspersky Labs principal security researcher Vicente Diaz said. “However, many existing Zeus variations, including Citadel, SpyEye, and IceIX, have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims.”
The hackers took down the command server on January 22, two days after the investigation started, but that’s likely an infrastructure change rather than a complete shutdown.