FireEye Intern, Author of Dendroid Android RAT, Busted in Darkode Sting

The Feds and Europol sent notorious hacking forum Darkode into a black abyss this week, making dozens of arrests – including at least one that would have our grandmothers tsk-tsking, “He seemed like such a good boy.”

Pittsburgh-born Morgan Culbertson, 20, can only be described as one of the best and brightest in his class at Carnegie Mellon University, where he’s a sophomore. He’s also a two-time intern at the cybersecurity firm FireEye, where he has been tasked with researching malware and viruses on Android smartphones. By all accounts he’s a technical whiz, and his online profile shows a bright-eyed, jug-eared kid who is a bit reminiscent in looks of a younger Ron Howard.

But according to federal investigators, behind the shiny exterior, Culbertson is actually a hardcore hacker. He’s responsible for authoring the infamous Dendroid malware, which he sold in underground hacking forums like Darkode for $300 a pop – 24/7 support included. Dendroid is a RAT that allows anyone with limited expertise to trojanize and weaponize Android apps.

Dendroid, true to its name, offers many branches of functionality with which to manhandle unsuspecting Android-based mobile phones, including the ability to make calls and delete call logs, open web pages, record calls and audio, intercept text messages, take and upload photos and videos, open an application, initiate a HTTP flood for a period of time for DoS purposes and change command-and-control (C&C) servers.

In short, it’s a cornucopia of information-stealing and money-scamming goodness for criminals.

The Feds busted him, and now FireEye is left to wonder where things went so horribly wrong.

“Mr. Culbertson’s internship has been suspended pending an internal review of his activities,” FireEye told CNN.

We should hope so. It’s entirely possible that Culbertson has used his insider status to gain intelligence on how to compromise FireEye’s software – considering that his duties included work on FireEye’s elite advanced persistent threat team.

CNN reports that “fellow interns at FireEye… expressed shock at the criminal accusations, noting that Culbertson was sociable and not the kind of person who would knowingly cause such widespread damage.”

A regular Babyface Nelson, then. Isn’t it always the ones you least suspect?

As we reported earlier, agencies targeted cyber-criminals that were using the Darkode forum, the most prolific English-speaking cyber-criminal Dark Web site in the world, to trade and barter their hacking expertise, malware and botnets, and to find partners for their next spam runs or malware attacks. In total, the takedown resulted in 28 arrests, 37 house searches and numerous seizures of computers and other equipment.          

What’s Hot on Infosecurity Magazine?