The British security researcher Marcus Hutchins was arrested by the FBI on Thursday after being indicted on charges of creating the Kronos banking malware.
The news of the Marcus Hutchins‘s arrest made the headlines, the motivation has shocked the IT sector; the British malware experts who stopped the WannaCry ransomware outbreak was arrested in Las Vegas on Wednesday on suspicion of being a malware author.
FBI agents nabbed the man at the airport while he was preparing to fly back to the UK, he was arrested for “his role in creating and distributing the Kronos banking Trojan,” according to a spokesperson from the U.S. Department of Justice.
According to the investigators, Marcus Hutchins created the malware and shared it online, below the indictment issued by Eastern District of Wisconsin.
The prosecutors believe Hutchins created, shared, and masterminded the Kronos banking Trojan between July 2014 and July 2015.
Marcus Hutchins has developed the malicious code and he updated the code in February 2015 with a co-conspirator who is accused of advertising the Kronos banking Trojan on hacker forums.
The accomplice has sold at least one copy of the malware for $2,000, the US government also claims that on June 11, 2015, Hutchins sold attack code in America.
Kronos was developed starting from the Zeus Trojan, it took its name after the father of Zeus in Greek mythology, with the intent to steal money from victim’s bank accounts.
Principal featured advertised were:
- Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome);+
- 32- and 64-bit ring3 (user-mode) rootkit capable of also “defending from other Trojans”;+
- Antivirus bypassing;+
- Malware-to-C&C communication encryption;+
- Sandbox bypassing.+
Kronos malware was offered for $7,000 and it includes numerous modules for evading detection and analysis, the seller also offered a “try and buy” server for $1,000, giving the possibility to test the malware for a week prior to buying it.
Going back in the time, experts noticed that Marcus Hutchins tweeted the following message on July 13, 2014.
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014
The experts also speculate Hutchins was identified after the Feds shut down the darkweb marketplace Alphabay, where Kronos was available for sale. It is likely that Feds identified it during the investigation on the marketplace.