White hat hacker and botnet tracker Marcus Hutchins — the Brit who just three months ago put a stop to the WannaCry ransomware’s global rampage — is currently detained by US authorities. He is charged with creating malware known as Kronos, a banking Trojan first seen by security researchers in July 2014.
The security researcher who stopped WannaCry has been arrested for allegedly creating malware
An indictment from the US Department of Justice (DoJ) on July 11, brought by the FBI, alleges that the 23-year-old also distributed the Trojan along with a currently unnamed co-defendant, selling the malware on the now defunct AlphaBay online marketplace.
But what is Kronos?
Kronos is a type of Trojan, which itself is a type of malware pretending to be something else — like a harmless email attachment — but is actually something far nastier ready to infect a victim’s computer. Trojans are commonly spread via email attachments, and once downloaded, can give attackers free reign to snoop and steal sensitive information like financial data, emails, and passwords.
Kronos first appeared on a Russian underground forum in 2014, selling for $7,000 (£5,300). The IBM researchers who found it said that the Trojan offered multiple modules for evading detection and analysis as well as an option for potential buyers to test the malware for a week before actually committing to a purchase.
Kronos gave buyers the tools to grab banking details from victims’ machines, using a process called keylogging. It was equipped with a formgrabber (for stealing login credentials when accessing banking services), and worked on the web browsers Chrome, Internet Explorer, and Firefox. The Trojan also used an untraceable injection method that was able to bypass common anti-virus software.
“The business side of this offer is interesting as well. Most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks,” wrote the IBM researchers in 2014. “Comparatively, the Kronos malware carries a hefty cost of $7,000.”
Kronos also came with some nifty extra features. It could change the format of banking web pages to add extra forms for users to input, like PIN codes, in the hope of scooping up extra information from unwitting victims.
But Hutchins peers argue that he couldn’t have been involved with the creation or distribution of Kronos. The first announcement of Kronos was on July 1, 2014. Two weeks later, on July 13, Hutchins requested a sample of Kronos. The argument being, why would he ask for a sample if he is the creator of Kronos?
“To be absolutely clear @MalwareTechBlog’s business is reversing malware to monitor botnet traffic. The DoJ has seriously fucked up,” tweeted British security architect Kevin Beaumont on August 3.
There are six counts within the DoJ indictment, together accusing Hutchins of creating and transmitting the malware, as well as attempting to cause damage to “10 or more protected computers.”
How much of a threat is Kronos?
In its statement, the DoJ said Kronos is an “ongoing threat” to both “privacy and security”. It added that it’d seen the malware actively attempting to infect devices through an email phishing campaign at the end of 2016.
During last year, it was one of six banking Trojan variants to attack Canadian banks, according to security researchers at Proofpoint. During this attack Kronos was used inside a fake Microsoft security alert that tried to get users to open an infected file.
Since the discovery of Kronos in July 2014, there have been numerous global attacks linked to the Trojan. In August 2014, Jozsef Gegeny, a security researcher at S21sec, found traces of Kronos stealing money from French bank accounts.
In October 2015, IBM researchers identified Kronos attacking banks and financial institutions in the UK, as well as one bank in India.