Skip to main content

Markus Hutchins: Saving the world by stopping Wannacry & arrested for Kronos

"In August 2017, British security researcher Marcus Hutchins (aka 'Malwaretech') notable for his involvement stopping the May 2017 WannaCry ransomware attack was arrested by the FBI whilst visiting the United States. He was alleged to have created the software in 2014, and to have sold it in 2015 via the AlphaBay forums."

This story reminds us of the plot of the ancient Greek tragedies and the Mr. Robot TV show at the same time: Markus Hutchins who stopped the WannaCry attack has been arrested by the FBI on suspicion of being the author of the Kronos banking Trojan as part of ongoing investigation.

In May 2015, clients of a large Russian bank received emails requiring them to urgently provide a bank account statement to tax authorities. The letters were disguised as a legitimate bank message. However, the taxes.exe file, which was delivered to the victims, contained the Kronos banking Trojan. After installation, the virus stole money using fake web pages (web injects) in the browser, when a user attempted to perform transactions on online banking pages.

Screenshot of Kronos control panel
Kronos functionality and web injection techniques were similar to those of another notorious virus dubbed ZeuS. This Trojan, which appeared back in 2007, is reasonably called the "king of Trojans." This was one of the best-selling malware on hacker forums, and after its source code leaked online, it became one of the most popular spyware on the black market. Each month, researchers, including Group-IB experts, discover new modifications of this Trojan.

Announcements about the sale of Kronos originally appeared on underground forums in the summer of 2014. The initial price of this Trojan was $7,000 for a "life license" and $1,000 for a test license. Later, the price was reduced to $3000 "with updates, full support, as well as a team and instructions."

The author of the advertisement was a user with the moniker VinnyK. Announcements on sales of the Trojan were written in Russian. That said, when communicating with customers in Jabber, VinnyK responded in English. In 2016, VinnyK was detected searching for a ransomware and pay-per-installation services in the Netherlands, and bought German traffic. In February 2017, his account was blocked, and Kronos dropped off 'radar screens'. However, in August, quite suddenly, the climax to the story occurred.

They came for the 'hero'

n May 2017, Marcus Hutchins, a 22-year-old British malware researcher, woke up to discover his picture on front pages. In the midst of the global outbreak of WannaCry ransomware that attacked over 200,000 computers in 150 countries, Hutchins managed to stop the spread of the attack by triggering a "kill switch" in the malicious software. However, he did not seek world fame and published his messages under the moniker MalwareTech.

The journalists managed to find out the name of the "hero", which brought him in the spotlight. In early August, Hutchins was in the United States for the annual Black Hat and Def Con security conferences. Then something happened that no one expected: MalwareTech was detained by FBI agents.

According to the indictment released, Hutchins and his criminal partner (his name has not been disclosed) are accused of creating and advertising the Kronos banking Trojan, which had peak activity in 2014-2015.

The indictment alleges that in the spring of 2015, an unnamed partner of Hutchins advertised Kronos on one of the biggest and most notorious dark web forums, AlphaBay, where people freely bought drugs, fake documents, tools for espionage and hacking until recently.

In July, FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France conducted a large-scale operation: first they seized the AlphaBay server. Then one of the site's administrators, Alexander Cazes, known under the moniker Alpha02, was detained in Thailand. A little later officials said Cazes had hanged himself while in their custody, just before a scheduled court hearing. Through investigation of the AlphaBay server, the FBI experts managed to identify not only its customers but also administrators and sellers, purportedly including authors of Kronos.

On Friday, August 4, Hutchins appeared before a judge, pleaded not guilty to the charges against him. The judge approved to release the researcher on bail for a bond of $30,000 under certain conditions. MalwareTech is prohibited from accessing the Internet, he must wear a GPS tracker, and he cannot contact the unnamed co-defendant mentioned in the FBI's indictment.


Popular posts from this blog

NanoCore developper busted and senteced for 33 months

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.

Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercrimina…

ICEMAN : Infecting Crystal Finance Millennium

Iceman gang member confirms that they are behind the introduction and spreading of malwares that have affected Crystal Finance Millennium, a Ukraine-based accounting software firm. Was this a political based attack? Read more to find out.
I’ve had a chance to speak to one of the gang member on XMMP and he confirmed that the Iceman group is behind this attack. They started by a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company. He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

KillaMuvz: Undercovered british hacker

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services. The Briton Goncalo Esteves (24) has pleaded guilty to charges related to creating and running malware services.
Such kind of platforms allows crooks to improve the development of their malicious codes. The malware created with the Esteves’ malware services would not be detected by antivirus software.
Esteves that was used the moniker ‘KillaMuvz’ is the creator of Cryptex tool commonly used by vxers to encrypt their files in an effort to avoid the detection. The first version of Cryptex was released in October 2011 and was continuously improved.
According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12. “A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) a…