Security Experts:

Code Linked to MalwareTech and Kronos Published in 2009

A piece of code linked to both the British researcher Marcus Hutchins, known online as MalwareTech, and the banking Trojan named Kronos was first published in 2009.

Hutchins became famous and was named a “hero” after he helped stop the WannaCry ransomware attack by registering a domain that acted as a kill switch for the malware.

The researcher was arrested in early August in the United States as he had been preparing to return to the U.K. and was charged for his alleged role in creating and selling Kronos. He has pleaded not guilty to the charges brought against him and released on bail during his trial. He cannot leave the U.S. and will be tracked via GPS, but authorities have allowed him to access the Internet – except for the domain used to stop the WannaCry outbreak.

The only information provided so far by authorities regarding the case they have against Hutchins is that he and an unnamed partner allegedly created and sold the Kronos malware in 2014 and 2015.

While it’s unclear what evidence these accusations are based on, some believe it may have something to do with a tweet posted by MalwareTech in February 2015, when he claimed a hooking engine he made had been abused by malware developers.

A researcher known online as “Hasherezade” has published a detailed analysis of Kronos, a piece of malware that has been around since 2014, on the Malwarebytes blog. The expert pointed out that the code used by Kronos authors to implement hooking, a technique for modifying the behavior of an application by intercepting function calls or messages passed between different components, is similar to one published by MalwareTech on his GitHub account.

However, as a Greece-based experts noted, the hooking technique found in both Kronos and MalwareTech’s GitHub account was first described in 2009.

MalwareTech is not allowed to discuss his case with anyone, but he pointed out on Twitter that none of the code found on his GitHub account implements new techniques and instead represents proof-of-concept (PoC) code for existing methods.

It’s unclear at this point if investigators used these similarities to link Hutchins to Kronos and if the code that the researcher claimed was stolen from him in 2015 was used in this banking Trojan or different malware.

According to Hasherezade, an analysis of the Kronos code suggests that its author is a skilled malware developer.

“The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster,” Hasherezade said.

While many have named Hutchins a hero for his role in stopping the WannaCry outbreak, some, including Immunity founder Dave Aitel, believe he may have actually been involved in the WannaCry attack.

Legal aspects of the case

In the meantime, some media reports claim Britain’s GCHQ spy agency knew that the FBI had been investigating Hutchins before he travelled to the United States. People familiar with the matter told The Sunday Times that the expert’s arrest in the U.S. freed the British government from the “headache of an extradition battle.”

While Hutchins awaits trial, some legal experts have called into question the constitutionality of the indictment.

“Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act. It is likely that these issues will be litigated as the case unfolds,” said Alex Berengaut, a lawyer with Covington & Burling.

“But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country,” Berengaut added. “Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.