Marcus Hutchins, digital security researcher for Kryptos Logic, is accused of creating the Kronos malware, which never took off in the cybercriminal world, say experts. Photographer: Chris Ratcliffe/Bloomberg
An apparent dealer of the Kronos banking malware – the password-pilfering software Marcus Hutchins, aka MalwareTech, is accused of creating – has told Forbes they weren’t even aware of his indictment, let alone anything to do with his involvement in the creation of the tool. Indeed, their bizarre comments only muddied the already murky waters around the U.S. government’s allegations about Hutchins, who’d only recently been hailed as a hero for stopping the WannaCry ransomware spreading.
Going under various names, including Passworded and B0tN3t, the malware seller said over encrypted chat that he first came across Kronos on the Exploit.in forum. He span a tale about a coder linked to the malicious software, who’d “ripped off” a customer for $22,000 and banned from the site. (Other sources who claim knowledge of the history of Kronos say it was $22,000). The dealer found out about the Kronos files, cracked them and took them for himself. (He told Forbes after publication that he didn’t have access to the full malware files; he “ripped” the front end files, used them as proof of legitimacy, and scammed buyers by selling them ineffective tools).
Complicating matters further, Passworded said Kronos samples “are almost in every security research forums [sic],” making it possible all kinds of underground personas are flogging the tool, which experts say was designed to steal banking logins and infect point-of-sale machines. The government complaint against Hutchins alleged he was the sole creator of Kronos, whilst an unnamed other party updated and sold the malicious tool with him.
Forbes first reached out to Passworded after Kevin Beaumont, a British security reporter who’s been vocal in his support for Hutchins on Twitter, posted a screenshot of Kronos in action, as well as contact details for its owner. Beaumont had suggested that the contact might know something about the creator of the malware, but Passworded denied they had coded it, telling Forbes in internet-speak: “To be honest am not the coder but i got the file and crack it.”
This is Kronos builder, it looks like the US justice system has made a huge mistake. pic.twitter.com/2WGQVjFgED
— Kevin Beaumont (@GossiTheDog) August 3, 2017
Passworded left the chat before answering Forbes’ other questions.
Searching across the web for the dealer’s activity, it was apparent he’d tried to sell Kronos for a reduced price of $600; previous research found it for sale as high as $7,000, while the indictment claimed an unnamed party flogged it for $2,000.
The Kronos malware was recently on sale for $600 but researchers say the malware was never a big deal for cybercriminals.
They also set up a YouTube guide on how to run Kronos, not dissimilar to one described in the U.S. indictment.
Who is VinnyK?
The name VinnyK is of interest: it’s attached to early sales and scam claims around Kronos on Exploit.in. The earliest known post on the site relating to Kronos is in Russian, dating back to June 10 2014, as noted on Beaumont’s post regarding his concerns around the case agains Hutchins and a malware blog. The U.S. indictment against Hutchins only covers activity between July 2014 and July 2015. VinnyK was selling the malware for $3,000 back then. A month later, he was showing off how well Kronos faired against anti-virus systems.
An advertisement on an online forum for the Kronos malware. VinnyK appears to be heavily involved in selling the tool.
In another Exploit.in post, a review of the Kronos malware gets a three out of five. VinnyK responds by telling them updates to improve the tool were on the way.
But somewhere along the line, certain deals went sour. Publicly available posts from 2016 on the forum detail a $5,000 sale of an exploit kit to assist with a working Kronos botnet, in which the customer claimed to have been ripped off, to which VinnyK responded by vehemently defending his actions. The dispute came to an apparently amicable end with VinnyK returning the funds.
It’s apparent from the profile image of VinnyK that the user was eventually banned from the space after being declared a ripper. This could well be the coder Passworded was referring to. Forbes attempted to contact VinnyK over encrypted chat but had received no response at the time of publication.
Kronos and the damage done
The reduced price and alleged scams hint at another truth about Kronos: it was largely a failure amongst serious cybercriminals. There was early anticipation in 2014 it could go big, as prolific and profitable as one of its forbears, the banking malware known as Zeus. In an email to your reporter from RSA’s Daniel Cohen in 2014, he wrote: “Waiting to see whether Kronos turns into something. At this point it’s just a post on a forum, no sample or binary yet. It could be an interesting development if it does, as it would point to more movement away from the Zeus code.”
In the last 24 months, according to IBM global executive security advisor Limor Kessem, the Trojan emerged with a hefty $7,000 price tag in mid-2014, but actual attacks didn’t launch until the third and fourth quarter of 2015, when the company saw some Kronos malware campaigns hitting UK banks. “But after that timeframe, have not seen much more activity from the malware,” Kessem told Forbes.
“The very last time we saw Kronos activity was a small campaign in November 2016, when Kronos infected a very small number of machines mostly in Brazil, the UK, Japan, and Canada. At that particular time, we did not see fraudulent activity from Kronos, but rather, believe it was used a loader for other malware.
“It never really took off in the cybercrime arena. It’s possible this was due to its pricing, its functionality, or the reputation of the vendors that peddled it in the underground and dark web markets.”
This would indicate that while Kronos may have claimed some victims, it never became anything close to a serious criminal operation. If the government is correct in its claim Hutchins was its creator, they may have a job on their hands proving it caused harm as the indictment alleges.
Legally speaking, the damage done and the intent behind it is critical to the government’s case against Hutchins and another unnamed suspect. From a two-year investigation, the feds revealed only one alleged sale of $2,000, not by Hutchins, but by the unnamed party. The indictment also claims the pair intentionally caused damage to 10 or more “protected computers” without authorization over a one-year period, with little more detail.
Tor Ekeland, a lawyer specializing in Computer Fraud and Abuse Act (CFAA) cases, described the charges as “a disaster”, claiming the government is trying to punish Hutchins for “non-alleged harms that other people may have committed with Kronos.” Hutchins is looking at two CFAA charges, one count of wiretapping and another three regarding the sale and advertisement of wiretapping devices.
“It’s like saying the gun manufacturer is now liable for the bank robbery or murder committed by a gun,” added Ekeland. “Who got killed with malware? No one, but it’s completely legal for someone to buy a gun and shoot their spouse or their kid or robs a bank.”
Beaumont, a highly-regarded malware researcher who knows Hutchins, said despite working in network defence for 17 years across four multinational companies, all with more than a billion dollars in revenue, he’d never heard of Kronos.
“It’s quite surprising somebody has an indictment for a malware people don’t seem to know about talking about $2,000 in payment with potentially decades in jail.”