The suspected author of RAT malware known as MegalodonHTTP was arrested last month with four others in a joint operation between Norwegian police and Europol, US security vendor Damballa has revealed.
Senior threat researcher, Loucif Kharouni, explained in a blog post yesterday that Damballa’s Threat Discovery Center had also been working with the law enforcers to track those behind the malware.
Although the arrests were made last month as part of Europol’s OP Falling sTAR initiative against the use of Remote Access Trojans (RATs) in Norway, France and Romania, little else was divulged by the police.
“Very little is known about the details of the operation and who and what these miscreants did, but Norway’s Kripos national criminal investigation service noted that they were charged with possessing, using and selling malware, including RATs,” Kharouni said.
“Damballa’s Threat Discovery Center worked in cooperation with the Norwegian police over the last few months to track and identify the author of the malware called MegalodonHTTP.”
The malware itself was laid bare in an analysis by Damballa back in November. The firm claimed that despite its imposing name, it actually wasn’t that powerful or advanced at all.
It was designed to be modular to offer a range of functionality, including seven different types of DDoS; password recovery; an ‘AV Killer’; a ‘Crypto Miner’; and remote shell tool.
“It requires that .NET is installed on a device to run properly. Assuming that every recent machine with Windows has .NET installed and running by default, it shows the poor coding skills of the author—named Bin4ry,” Kharouni wrote at the time.
“Usually malware authors don’t like to rely on dependencies—especially not .NET. This malware is sold on HackForum. Some criminals would refer to it as skid malware, or script kiddies, but its low price makes it attractive for others.”
Although the identity of the author in question remains a mystery, Damballa confirmed that since the arrests, “the person behind the handle Bin4ry is no longer active or doing business.”
Photo © Memo Angeles