MegalodonHTTP malware author arrested

Damballa suggests that one of the five men arrested last month by Norwegian police as part of the Europol initiative OP Falling sTAR was ‘Bin4ry’, the author of the MegalodonHTTP remote-access Trojan (RAT).

In November, the firm explained how the Trojan worked, noting its simplicity:

“It requires that .NET is installed on a device to run properly. Assuming that every recent machine with Windows has .NET installed and running by default, it shows the poor coding skills of the author – named Bin4ry. Usually malware authors don’t like to rely on dependencies – especially not .NET. This malware is sold on HackForum. Some criminals would refer to it as skid malware, or script kiddies, but its low price makes it attractive for others.”

We asked our head of technical services, Geraint Williams, about the MegalodonHTTP RAT.

Hi, Geraint. MegalodonHTTP is pretty unsophisticated and poorly coded. Who was its intended target?

With MegalodonHTTP, the developer was not interested in actually using the tool himself but in making money from those who were starting out in the cyber criminal world – he was removing himself from the risky frontline. It is an example of the black-market economy of the cyber criminal world, where developers who are often very skilful (less so in this case, it seems) make money from those who are less skilful but want to carry out attacks.

Research has shown that the sophistication of an attack is not an indication of the skill of the attacker but rather the developer who coded the tool. Attackers who are at the top of their game and operating at the high end of cyber crime activity are often very skilled at coding, and understand network and application protocols to generate advanced persistent threats (APT). Further down the scale, however, cyber criminals are much less skilful – indeed, many beginners (newbies) might not even know how to code.

The majority of attacks come from such low-skilled operators who don’t understand the protocols or even the tools they are using. Quite often, those using such tools are scanning randomly or using unsophisticated targeting to identify targets that they can compromise.

This tool supported several DDoS attacks, so it’s fair to assume that its users would have been looking to get a large base of machines infected so that they could create a botnet. They could then sell the services of this botnet, either by harvesting data from infected machines or by using it to launch DDoS attacks – whether as part of blackmail attacks or just general hacktivist activities.

Being inexperienced or less skilful coders, they might not have been aware of the performance issues relating to their tools. The advantage of .NET from their point of view was that the code is quite small as its functionality relies on the .NET framework found on many machines with Microsoft operating systems.

And who was the malware created for?

It was developed for script kiddies and cyber criminal newbies – typically children from the age of 10 upwards, and possibly including students who are being exposed to the hacker culture at university. Basically, those starting out and taking the first steps experimenting with hacking tools and exploring the forums.

Why did they use .NET to create it? Could it be used to create more sophisticated attacks?

Although very sophisticated software can be created using .NET, it is unlikely that professional tools used by experienced cyber criminals and hacktivists would be coded using such a package, as it produces software that depends on preinstalled packages such as DLLs (dynamic linked libraries). They would more likely be looking for self-contained applications that are not reliant on target machines having particular files. The last thing a more experienced attacker wants is for their tools to stop working because Microsoft has patched or updated a file the malware is reliant on.

Penetration testing

If you’re concerned about your organisation’s susceptibility to malware and online attacks, you’ll be interested in IT Governance’s penetration testing packages. Designed to identify vulnerabilities and provide remedial measures that you can take to secure your systems, they provide a complete solution for the routine security testing of your websites and IT systems to ensure that your networks and applications remain secure against cyber attacks.

Click for more information: