WannaCry ‘Hero’ Marcus Hutchins Admits Writing Trojan Code – Report

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

British hacker who stopped ransomware attack, tries to prevent phone call transcript being used against him in US courtroom

Marcus Hutchins, 23, the British security researcher who stopped the global WannaCry ransomware campaign in May 2017, is seeking to stop a phone conversation he had from used against him.

Hutchins, otherwise known as ‘Malwaretech’ on social media, was arrested by the FBI on 2 August in Nevada, after he attended the Black Hat and Def Con hacking conference in Las Vegas.

He has been charged by US authorities of developing and distributing the ‘Kronos’ banking malware. He has pleaded ‘not guilty’ to the charges and is currently out on bail in the United States, after friends and family raised his £23,000 bail.

trojan virus

US charges

Hutchins has rejected six charges relating to the Kronos malware and will now face trial in October this year in the US.

Essentially, the DoJ alleges that Hutchins is responsible for the creation and distribution of Kronos on Internet forums.

This was a nasty piece of malware designed to steal banking login and other financial data from infected computers. It first came to prominence in 2014 after it posed as legitimate software in order to infect people’s computers.

Its creator boasted it could evade existing anti-virus software and said it worked with Internet Explorer, Firefox and Chrome web browsers. The creator also (unusually) promised to deliver free upgrades and bug fixes for the trojan, and even offered attackers a one week trial for $1,000.

Kronos resurfaced again in October 2015 after it reportedly attacked both British and Indian banking websites.

Then in May 2016 it hit customers of Canadian financial institutions, and in November 2016 Kronos was apparently being distributed in emails sent to financial service firms, hospitality businesses, as well as those companies operating in the higher education and healthcare industries.

It has been suggested by some that code written by Hutchins was ‘stolen’ and incorporated into Kronos.

If found guilty, Hutchins could be jailed for 40 years.

Phone call

Now Hutchins is attempting to prevent a phone call transcript being used against him in the US courts.

According to the BBC, Hutchins reportedly said he wrote code for an unidentified third-party, who then used it to make bank-hacking software.

His admission came after US prosecutors on Tuesday filed the call transcript along with a two-hour FBI interview.

Lawyers for Hutchins’s are now seeking to have the evidence ruled inadmissible.

They say he had been “sleep-deprived and intoxicated” at the time and had been “coerced” into a confession.

“So, I wrote code for a guy a while back who then incorporated it into a banking malware,” Hutchins is quoted as saying during the phone call after his arrest. “So, they have logs of that, and essentially they want to know my part of the banking operation or if I just sold the code on to some guy.”

“Once they found I sold the code to someone, they wanted me to give them his name, and I don’t actually know anything about him,” he reportedly said.

Hutchins then was also quoted as discussing paying off a £5,000 debt by passing on “compiled binary” of the code.

Hero’ researcher

The fact that US authorities believe that Hutchins was responsible for the Kronos trojan has come as a surprise to many.

When the WannaCry ransowmware spread rapidly through computer systems around the world in May 2017, it crippled huge swathes of NHS IT infrastructure. As the ransomware attack began to take hold, Hutchins obtained a sample of the malware from a fellow researcher.

Hutchins then tested the ransomware in a virtual environment and discovered it queried an unregistered domain. He had noted the malware was connecting to multiple IP addresses targeting a server message block (SMB) vulnerability.

He then registered the domain, an action which ultimately resulted in the botnet being terminated. Hutchins actions only emerged days after the first WannaCry attacks.

Do you know all about security? Try our quiz!

Read also :