On August 3, Motherboard published an indictment that pertained to an unexpected suspect. Even more unexpected once the realization that the suspect connected to the now-defunct Alphabay. Marcus Hutchins, the security researcher known as MalwareTech or MalwareTechBlog allegedly created and helped distribute the Kronos banking trojan.
Hutchins made a name for himself when he “accidentally” hindered the WannaCry ransomware from spreading. (The domain Hutchins bought that functioned as the WannaCry killswitch). His actual name gained publicity when reporters from The Sun, The Telegraph, and The Daily Mail hunted down and then published his personal information. “Camped out” in his front yard and chased down the man’s friends. Now, though, a grand jury indictment charged Hutchins for creating Kronos and helping another party distribute the banking trojan on a darknet market, along with internet forums.
The indictment only comes as a surprise to those who knew MalwareTech as MalwareTech or Marcus Hutchins, the self-described “Malware Researcher.” Others claimed that Hutchins had operated under pseudonyms at some point in time. The indictment contains nothing that connected Hutchins to other internet characters, like TouchMe or TouchMyMalware, but the theories run wild elsewhere. For many reasons, one of which being the blacked-out name in every paragraph, the indictment itself failed to render an accurate picture. The details are vague or nonexistent.
A co-defendant was named by the grand jury as well, although in the copy of the indictment published by the Department of Justice, the name had been redacted. Some speculate that the second entity informed on MalwareTech. At this point in time, all that exists—at least publicly—is conjecture. Some, however, seems only logical—if the indictment is accurate as well. “There it is – I’ll bet money @MalwareTechBlog’s snitch got caught up in AlphaBay arrests and ratted him out,” one Twitter user wrote.
The indictment named Hutchins in six out of six charges. It is worth remembering that grand juries do not require unanimous decisions to indict—simply ⅔ or ¾ majority. The “unidentified” (to the public) co-defendant was also named in all six counts.
Marcus Hutchins, aka Malwaretech, along with the unnamed co-defendant received a total of six charges each:
- one count of conspiracy to commit computer fraud and abuse;
- three counts of distributing and advertising an electronic communication interception device;
- one count of endeavoring to intercept electronic communications;
- one count of attempting to access a computer without authorization
The indictment points to a video allegedly created by MalwareTech that explained how to use the Kronos Banking Trojan, along with a host of other, majorly instructional, “crimes.” According to the indictments, all crimes occurred between July 2014 and July 2015. The Cyber Threat Insider blog reported first seeing Kronos advertised on Russian forums in June 2014, alongside the launch of the Kratos trojan. At the time, the Kronos pricing was strikingly high. “Kronos costs $7,000 (a special release price till July 18th is $5,000), and one-week trial is offered for $1,000, on your own domain,” the Cyber Threat blog reported.
The majority of the advertisements for Kronos explained the features as if the trojan was an upgraded version of Zeus. In many ways, it was one of Zeus’s many successors. Like the developers of the Floki Bot, the developers of Kronos claimed the trojan was more than Zeus with added features, even though Zeus and Kronos could effectively use the same .html injection files. Below is an early translation from a Russian forum:
“Introducing the Kronos, the only Actively supported 32 / 64bit rootkit banking trojan.
The Kronos Comes with a 64 and 32bit rootkit to provide you with the stealth and compatibility needed for all of your banking operations
Formgrabber: the Kronos has an advanced Formgrabber That does not use the publicly available Methods. It logs ALL POST requests and returns the data to the control panel.
Webinjects: the Zeus webinjects style with the Kronos style injection techniques. Inject forms and get additional information or automatically transfer funds with the use of Webinjects.
32-bit and 64-bit ring 3 a rootkit: the Kronos has a very advanced 32 and 64bit rootkit that helps hide and evade user and other bot detection . Great for stealthy operations and helping your botnet live longer.
Proactive Bypass: Kronos uses undetected injection techniques to work without triggering proactive antivirus protection.
Encrypted Communication: Communication between the bot and the panel is encrypted to help better secure data.
The Sandbox and Rootkit Usermode the bypass: the Kronos CAN the bypass the any hook mounted transmitter in the which the usermode allow it to be other by untouched by rootkits or sandboxes.”
“On or about July 13, 2014, a video showing the functionality of the Kronos banking trojan was posted to Youtube. [Unidentified co-defendant] used the video to demonstrate how Kronos worked,” authorities claimed. And then, “on or about about April 29, 2015,” the supposed “snitch” listed the Kronos banking trojan on AlphaBay. In June 2015, the same person sold a copy of the trojan $2,000 in “digital currency.”
In 2016, an entity rebooted the Kronos banking trojan yet again. The trojan was marketed on Russian forums and advertisements spammed via jabber.
“Kronos refreshed and became better than before! Problems with the fall of chromium and the incorrectly working grabber and injections are solved. Fixed data collection and injection in FF. MS Edge supports data collection and injections. Some changes have been made to improve stability. Become a customer today and get discounts on modules (distribution via USB, SOCKS5 and hidden VNC) that will be developed.
The price is $ 3,000 (without bargaining), Payment through bitcoin. The transaction will receive useful contacts Contact: V***@****.im”
After hacking conferences in Nevada, US law enforcement arrested Hutchins before he boarded and prepared for the flight back to his home in the UK. On August 3, Motherboard confirmed that the 23-year-old had been detained at the Henderson Detention Center in Nevada. Hours later, Joseph Cox spoke with a friend of Hutchins who claimed US authorities had moved the alleged trojan creator. “I’ve spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we’ve been trying to get in contact with Marcus for 18 hours and nobody knows where he’s been taken,” the friend told Motherboard. A spokesperson for the US Marshals reported that the case was an FBI matter.
Hutchins appeared before U.S. Judge Nancy Koppe on July 3. The court heard that Hutchins “had cooperated with the government prior to being charged.” Twitter users speculated this statement referred to his cooperation in the WannaCry ransomware outbreak—not that he had spoken to law enforcement regarding the immediate accusations. As some pointed out, this case has the potential to be far from ordinary.