Marcus Hutchins, a British security researcher nicknamed MalwareTech famous for stopping the WannaCry ransomware earlier this year, got arrested while he was in the United States to attend the Def Con and Black Hat hacking conferences. The authorities in the US have accused him of creating, advertising and selling the Kronos banking malware.
While it still isn't clear whether these allegations are true or not, new reports reveal that the code chunk that many had speculated was created by Hutchins was actually used long before MalwareTech published it. Apparently, the UK also knew that Hutchins - a hero back in Britain - will be arrested if he flew to the US.
"British spy chiefs knew of FBI sting" on Marcus Hutchins
A damning report claims that the agencies back home in the UK were aware that the US would detain Hutchins when he went to attend these conferences in July. Hutchins was considered a hero for saving the NHS and was even rewarded by the UK government. In a report today, The Sunday Times has claimed that the British intelligence was aware that Hutchins was walking into a trap but wanted to avoid extradition battles.
"Officials at the intelligence agency knew that Marcus Hutchins, from Devon, who was hailed as a hero for helping the NHS, would be walking into a trap when he flew to the US in July for a cyber-conference," the report reveals.
"GCHQ was aware that a British IT expert who stopped a cyber-attack against the NHS was under investigation by the FBI before he travelled to America and was arrested for alleged cyber-offences, The Sunday Times can reveal."
According to the publication's sources, the US intelligence community wasn't happy with how some previous extradition cases were handled by the UK government and hence wanted to detain Marcus Hutchins when he was on American soil.
"Our US partners aren’t impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition. Hutchins’s arrest freed the British government and intelligence agencies from yet another headache of an extradition battle."
It is a strange move since the WannaCry ransomware attack had started in the UK and Europe before hitting the United States, by which time it had been stopped. However, it did use EternalBlue, an exploit stolen from the National Security Agency that was leaked online by the Shadow Brokers and has since been repurposed by many malware and ransomware creators.
His arrest in the US was already criticized by both the white hat security community and the activists who deem this as an unnecessary blow to the government's partnership with the white hat hackers. Many have even suggested researchers stop attending hacking events in the United States (notorious for its excruciatingly long sentences) or organizing them in the US.
Defcon or any other hacker's conference should never be organised in this country ever again.
— Cyrano de Bergerac (@Cyranogrosnez) August 20, 2017
MalwareTech was arrested on August 2 in Las Vegas where he was due to fly home from. While the prosecution had argued against it, judges have granted him bail and have also allowed him access to the internet - a rarity in most internet related crimes. However, he won't be able to leave the country.
I imagine moving out of your parents house would be pretty stressful without being trapped in a foreign country with no cash, credit, or id.
— MalwareTech (@MalwareTechBlog) August 15, 2017
Code chunk in Kronos was seen 6 years before Marcus Hutchins published it
A separate report (more of a security analysis) mentioned earlier in this post was released over the weekend and suggests that the code that was found in the Kronos banking malware had originated over six years before MalwareTech is accused of developing its underlying code. However, it doesn't in any way free Hutchins of all the allegations or disproves prosecutor's accusations that Hutchins had written this code and had also sold and advertised it.
Just found the hooking engine I made for my blog in a malware sample. This is why we can't have nice things, fuckers.
— MalwareTech (@MalwareTechBlog) February 7, 2015
After Hutchins' arrest, some had suggested that he was referring to Kronos banking malware in the above tweet as it fits the timeline of the attack revealed in the indictment. Security firm Malwarebytes in its analysis has now claimed that there is a big overlap between codes used in Kronos and the one in the post that MalwareTech had referred to.
The analysis further reveals that the technique used by both actually goes back to 2009 and both MalwareTech and the Kronos authors "learned it from other sources rather than inventing it."
"The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here, //thanks to @xorsthings for the link ), and both authors learned it from other sources rather than inventing it."
It is unclear why MalwareTech would tweet about it if it wasn't even his original code - that is if he was indeed referring to this hooking routine used in Kronos as many have speculated. As mentioned before, the fact that this technique was first seen in 2009 doesn't disprove allegations against Hutchins as he is also accused of selling Kronos, not only creating it.
Hutchins faces 6 charges of creating and selling Kronos between July 2014 and July 2015. If proven guilty, he could face up to 40 years in a US jail.