UK malware researcher Marcus Hutchins accused of creating Kronos Trojan

The British security researcher Marcus Hutchins was arrested by the FBI on Thursday after being indicted on charges of creating the Kronos banking malware.

The news of the Marcus Hutchins‘s arrest made the headlines, the motivation has shocked the IT sector; the British malware experts who stopped the WannaCry ransomware outbreak was arrested in Las Vegas on Wednesday on suspicion of being a malware author.

The 22-year-old security expert, also known as MalwareTech, has been arrested in in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

FBI agents nabbed the man at the airport while he was preparing to fly back to the UK, he was arrested for “his role in creating and distributing the Kronos banking Trojan,” according to a spokesperson from the U.S. Department of Justice.

According to the investigators, Marcus Hutchins created the malware and shared it online, below the indictment issued by Eastern District of Wisconsin.

The prosecutors believe Hutchins created, shared, and masterminded the Kronos banking Trojan between July 2014 and July 2015.

Marcus Hutchins has developed the malicious code and he updated the code in February 2015 with a co-conspirator who is accused of advertising the Kronos banking Trojan on hacker forums.

The accomplice has sold at least one copy of the malware for $2,000, the US government also claims that on June 11, 2015, Hutchins sold attack code in America.

Kronos was developed starting from the Zeus Trojan, it took its name after the father of Zeus in Greek mythology, with the intent to steal money from victim’s bank accounts.

Principal featured advertised were:

Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome);+
32- and 64-bit ring3 (user-mode) rootkit capable of also “defending from other Trojans”;+
Antivirus bypassing;+
Malware-to-C&C communication encryption;+
Sandbox bypassing.+

Kronos malware was offered for $7,000 and it includes numerous modules for evading detection and analysis, the seller also offered a “try and buy” server for $1,000, giving the possibility to test the malware for a week prior to buying it.

Going back in the time, experts noticed that Marcus Hutchins tweeted the following message on July 13, 2014.

The experts also speculate Hutchins was identified after the Feds shut down the darkweb marketplace Alphabay, where Kronos was available for sale. It is likely that Feds identified it during the investigation on the marketplace.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – WannaCry, Marcus Hutchins)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.