People have been praising Marcus Hutchins for his work on preventing the WannaCry ransomware to spread last May. He got arrested in Las Vegas for creating and distributing the Kronos banking malware.
In the online community, he was dubbed as Malwaretech. He is a UK citizen and was at Las Vegas to attend the Black Hat and DEF CON hacker conference.
As per his indictment, Hutchins and another person who was not named are both facing charges for violating the Computer Fraud and Abuse Act. They have been charged with six counts associated with the distribution of the Kronos malware.
It was said that he was alleged to create the Kronos Trojan back in July 2014 wherein which the other person was demonstrating it via Youtube.
Both of them were alleged to have advertised the malware and was selling it in various internet forums, including the recently taken down AlphaBay market. According to the Department of Justice, they allegedly tried to sell the malware for $3,000 USD last August 2014. The indictment also allege that the pair updated the malware source code back in February of 2015 and April that same year. The second defendant posted it on AlphaBay and was allegedly able to sell it for $2,000 in crypto-currency. According to the indictment, the same person also began to offer encryption services that is supposed to conceal the malware from detection.
Even IBM reported the advertisement of Kronos on Russian malware forums back in July 2014 and it has been said to have the capability to avoid detection and analysis.
So how does this work? Kronos is designed as a typical banking malware that focuses on stealing users’ credentials. They do this by using webinjects mimicking leading banking and financial websites supported across major browsers. They have specially hand crafted phony logins asking for personal information, passwords, ATM PIN numbers and security question details. As per IBM, they also operated as a Ring3 rootkit and has the capability to disguise itself from other banking trojans that may compromise the same victim. Interestingly enough, some banking malware trojans are designed to remove other banking trojans.
It is also known that Hutchins also works for a U.S. security company called KryptosLogic, and was hailed as a hero for preventing the WannaCry outbreak. He did an analysis of the ransomware and somehow uncovered a hard-coded kill switch domain that the malware beaconed out to. Upon learning that information, he immediately purchased the domain for approximately $10 USD. This move of his spared the U.S. from suffering the significant impact it could have done if not because of the domains purchase.
Even though it was stopped from spreading, it was still able to infect 200,000 computers in 150 countries. It was even able to infect hospital computers in the U.K and it hit them hard. Other major companies like telecommunications, major manufacturers and enterprises across Europe and other countries got compromised also. It is unknown up to this day why the malware had a hard coded kill switch.