04.08.2017
Kronos devouring its children
The man who "saved the world" from the WannaCry outbreak has been arrested on suspicion of being the author of Kronos banking Trojan
This story reminds us of the plot of the ancient Greek tragedies and the Mr. Robot TV show at the same time: Markus Hutchins who stopped the WannaCry attack has been arrested by the FBI on suspicion of being the author of the Kronos banking Trojan as part of ongoing investigation.

Group-IB tracked Kronos back in 2014 and 2015 - we warned Threat Intelligence subscribers about the Trojan's appearance for sale on hacker forums and its attacks on bank customers. Now we can tell you more about that case.
In May 2015, clients of a large Russian bank received emails requiring them to urgently provide a bank account statement to tax authorities. The letters were disguised as a legitimate bank message. However, the taxes.exe file, which was delivered to the victims, contained the Kronos banking Trojan. After installation, the virus stole money using fake web pages (web injects) in the browser, when a user attempted to perform transactions on online banking pages.

Through investigative activities, Group-IB specialists gained access to the Kronos control panel. Stolen money appeared to be transferred to the accounts of two Russian companies. There is a hypothesis that the funds were then cashed out by 'mules' and transferred to another country.
Screenshot of Kronos control panel
Kronos functionality and web injection techniques were similar to those of another notorious virus dubbed ZeuS. This Trojan, which appeared back in 2007, is reasonably called the "king of Trojans." This was one of the best-selling malware on hacker forums, and after its source code leaked online, it became one of the most popular spyware on the black market. Each month, researchers, including Group-IB experts, discover new modifications of this Trojan.

Announcements about the sale of Kronos originally appeared on underground forums in the summer of 2014. The initial price of this Trojan was $7,000 for a "life license" and $1,000 for a test license. Later, the price was reduced to $3000 "with updates, full support, as well as a team and instructions."
The author of the advertisement was a user with the moniker VinnyK. Announcements on sales of the Trojan were written in Russian. That said, when communicating with customers in Jabber, VinnyK responded in English. In 2016, VinnyK was detected searching for a ransomware and pay-per-installation services in the Netherlands, and bought German traffic. In February 2017, his account was blocked, and Kronos dropped off 'radar screens'. However, in August, quite suddenly, the climax to the story occurred.
They came for the 'hero'
n May 2017, Marcus Hutchins, a 22-year-old British malware researcher, woke up to discover his picture on front pages. In the midst of the global outbreak of WannaCry ransomware that attacked over 200,000 computers in 150 countries, Hutchins managed to stop the spread of the attack by triggering a "kill switch" in the malicious software. However, he did not seek world fame and published his messages under the moniker MalwareTech.

The journalists managed to find out the name of the "hero", which brought him in the spotlight. In early August, Hutchins was in the United States for the annual Black Hat and Def Con security conferences. Then something happened that no one expected: MalwareTech was detained by FBI agents.
According to the indictment released, Hutchins and his criminal partner (his name has not been disclosed) are accused of creating and advertising the Kronos banking Trojan, which had peak activity in 2014-2015.
The indictment alleges that in the spring of 2015, an unnamed partner of Hutchins advertised Kronos on one of the biggest and most notorious dark web forums, AlphaBay, where people freely bought drugs, fake documents, tools for espionage and hacking until recently.

In July, FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France conducted a large-scale operation: first they seized the AlphaBay server. Then one of the site's administrators, Alexander Cazes, known under the moniker Alpha02, was detained in Thailand. A little later officials said Cazes had hanged himself while in their custody, just before a scheduled court hearing. Through investigation of the AlphaBay server, the FBI experts managed to identify not only its customers but also administrators and sellers, purportedly including authors of Kronos.

On Friday, August 4, Hutchins the appeared before a judge, pleaded not guilty to the charges against him. The judge approved to release the researcher on bail for a bond of $30,000 under certain conditions. MalwareTech is prohibited from accessing the Internet, he must wear a GPS tracker, and he cannot contact the unnamed co-defendant mentioned in the FBI's indictment.