Skip to main content

Markus Hutchins: Saving the world by stopping Wannacry & arrested for Kronos

"In August 2017, British security researcher Marcus Hutchins (aka 'Malwaretech') notable for his involvement stopping the May 2017 WannaCry ransomware attack was arrested by the FBI whilst visiting the United States. He was alleged to have created the software in 2014, and to have sold it in 2015 via the AlphaBay forums."

This story reminds us of the plot of the ancient Greek tragedies and the Mr. Robot TV show at the same time: Markus Hutchins who stopped the WannaCry attack has been arrested by the FBI on suspicion of being the author of the Kronos banking Trojan as part of ongoing investigation.

In May 2015, clients of a large Russian bank received emails requiring them to urgently provide a bank account statement to tax authorities. The letters were disguised as a legitimate bank message. However, the taxes.exe file, which was delivered to the victims, contained the Kronos banking Trojan. After installation, the virus stole money using fake web pages (web injects) in the browser, when a user attempted to perform transactions on online banking pages.

Screenshot of Kronos control panel
Kronos functionality and web injection techniques were similar to those of another notorious virus dubbed ZeuS. This Trojan, which appeared back in 2007, is reasonably called the "king of Trojans." This was one of the best-selling malware on hacker forums, and after its source code leaked online, it became one of the most popular spyware on the black market. Each month, researchers, including Group-IB experts, discover new modifications of this Trojan.

Announcements about the sale of Kronos originally appeared on underground forums in the summer of 2014. The initial price of this Trojan was $7,000 for a "life license" and $1,000 for a test license. Later, the price was reduced to $3000 "with updates, full support, as well as a team and instructions."

The author of the advertisement was a user with the moniker VinnyK. Announcements on sales of the Trojan were written in Russian. That said, when communicating with customers in Jabber, VinnyK responded in English. In 2016, VinnyK was detected searching for a ransomware and pay-per-installation services in the Netherlands, and bought German traffic. In February 2017, his account was blocked, and Kronos dropped off 'radar screens'. However, in August, quite suddenly, the climax to the story occurred.

They came for the 'hero'

n May 2017, Marcus Hutchins, a 22-year-old British malware researcher, woke up to discover his picture on front pages. In the midst of the global outbreak of WannaCry ransomware that attacked over 200,000 computers in 150 countries, Hutchins managed to stop the spread of the attack by triggering a "kill switch" in the malicious software. However, he did not seek world fame and published his messages under the moniker MalwareTech.

The journalists managed to find out the name of the "hero", which brought him in the spotlight. In early August, Hutchins was in the United States for the annual Black Hat and Def Con security conferences. Then something happened that no one expected: MalwareTech was detained by FBI agents.

According to the indictment released, Hutchins and his criminal partner (his name has not been disclosed) are accused of creating and advertising the Kronos banking Trojan, which had peak activity in 2014-2015.

The indictment alleges that in the spring of 2015, an unnamed partner of Hutchins advertised Kronos on one of the biggest and most notorious dark web forums, AlphaBay, where people freely bought drugs, fake documents, tools for espionage and hacking until recently.

In July, FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France conducted a large-scale operation: first they seized the AlphaBay server. Then one of the site's administrators, Alexander Cazes, known under the moniker Alpha02, was detained in Thailand. A little later officials said Cazes had hanged himself while in their custody, just before a scheduled court hearing. Through investigation of the AlphaBay server, the FBI experts managed to identify not only its customers but also administrators and sellers, purportedly including authors of Kronos.

On Friday, August 4, Hutchins appeared before a judge, pleaded not guilty to the charges against him. The judge approved to release the researcher on bail for a bond of $30,000 under certain conditions. MalwareTech is prohibited from accessing the Internet, he must wear a GPS tracker, and he cannot contact the unnamed co-defendant mentioned in the FBI's indictment.


Popular posts from this blog

Javascript Miner: Hacker's Wet Dream

Experiencing lags on your computer? You're probably running a miner that consumes 100% of your CPU. Coin Hive (a JavaScript based miner) is becoming rapidly popular among Malware developers.

Coinhive, as a tool, is a JavaScript library that website owners can load on their site. When users access the site, the Coinhive JavaScript code library executes and mines for Monero, but using the user's CPU resources.

Very smart idea as it was meat to be a replacer for publicities. Coinhive launched on September 14, and its authors advertise it as an alternative to classic advertising. Coinhive claims that webmasters can remove ads from their sites, and load the Coinhive library and mine for Monero using a small portion of the user's CPU while the user is navigating the site. Site owners can make money and support their business, but without peppering their visitors with annoying ads.

The idea got some traction, and two days after it launched The Pirate Bay ran it as a tes…

NiceHash: security breach leads to 60 million lost - Iceman is behind?

A dark day for crypto currency miners, NiceHash has been hacked. Closely to 60$ millions (4,736.42 BTC) have been stolen while the bitcoin is crossing the 14k$ mark for the first time.

The hacker's bitcoin address cleary shows the steal of  4,736.42 BTC in a window of 48 hours:

NiceHash users are furious by the time of reaction of the team. It took about 24 hours to realise that big amounts have been stolen.

I've contacted a member of Iceman and knowing this security breach for some reason he explained that NiceHash actually owned their users bitcoin wallets in order to save transactions fees and collect unclaimed BTC. This issue leads to a massive security breach which allow access to all NiceHash wallets. He claimed that by reverse engineering of their miner client, Iceman group was able to access their API. Is Iceman really behind this attack?

ICEMAN: Banks holes like in Cheese

Operation "Emmenthal" is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.

By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steals the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.

The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported "Emmental" attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.

What was your goal of the attack?

We need more bank accounts to sell. The b…