The accidental hero who hindered Wannacry’s attack, Marcus Hutchins, has been arrested by the FBI. Hutchins and another individual are suspected of “creating and distributing” a banking trojan named Kronos. Little is known about the second defendant, whose name is redacted in the indictment. Given some details present in the indictment, I find there is something fishy going on regarding Hutchins’s involvement.
Marcus Hutchins, also known as MalwareTech, is a security researcher based in the United Kingdom. Back when Wannacry was spreading like wildfire at the beginning of May, Hutchins purchased a domain that happened to be the kill switch for the proliferation of the malware. While it did not stop the malware entirely, it significantly slowed down its spread. This resulted in media outlets dubbing him an accidental hero. Now, that same person is in the FBI’s crosshairs for his alleged involvement in the creation of the Kronos malware. The FBI detained him when he attempted to return to London after the Defcon hacker conference in Las Vegas.
Kronos is a banking trojan that steals user information and credentials by using rootkits and web-injects. The first appearance of the Trojan happened around July 2014. The malware was being sold in many forums with a price tag of 3000 dollars. According to the indictment, Hutchins and the unnamed defendant are being charged with advertising and selling the malware which resulted in the damage to “10 to more computers” over a one year period.
There are a couple of things worth noticing in this indictment; particularly in the section where “Overt Acts in Furtherance of the Conspiracy” are being listed. In this section, Hutchins is alleged to have created the Kronos malware. However, the one listed marketing it, offering cryptying services, and profiting from Kronos, is the unknown defendant. On the other hand, there is no mention of Hutchins receiving payments for the alleged development or sale of Kronos. This leads me to believe that the unnamed defendant, being the one caught on AlphaBay’s crackdown, is attempting to cut a deal and use Hutchins as a scapegoat.
Due to this being an ongoing investigation, there is not much detail regarding Hutchins involvement with Kronos. If he did, in fact, create Kronos and had the intent to use it for malicious purposes, then he must answer for that. However, I find it far-fetched that Hutchins, who dedicates himself to information security, created and distributed malware. For us with interest in information security, one of our biggest asset and liability is our curiosity. This is what helps us analyze, reverse engineer, and discover vulnerabilities to defend against them. It can also sometimes lead to adverse results. An example of this is when malware analyst, Utku Sen, published ransomware code on GitHub for educational purpose. Not surprisingly, it ended up being used by bad actors to infect peoples and extort money.