Russian authorities make rare arrest of malware author

Russian authorities have arrested a malware author at the end of September, an action that is extremely rare in a country known to usually be soft on hackers.

According to the Russian Ministry of Internal Affairs, the suspect is a 20-year-old from the region of North Ossetia–Alania.

Russian authorities claim that between November 2017 and March 2018, the suspect created several malware strains, which he later used to infect more than 2,100 computers across Russia.

Authorities said that besides operating the malware himself, the suspect also worked with six other accomplices to distribute the malware, which eventually brought the group more than 4.3 million Russian rubles (~$55,000) in profit.

While Russian law enforcement did not share the malware author’s name, Benoit Ancel, a malware analyst at the CSIS Security Group, said last week and today on Twitter that the suspect is a Russian hacker he and other security researchers have been tracking under the nickname of “1ms0rry.”

Ancel is in the perfect position to identify this malware developer. In April 2018, Ancel worked together with other security researchers to track down 1ms0rry’s online operations and malware arsenal.

According to this report, Ancel linked 1ms0rry to malware strains such as:

• 1ms0rry-Miner: a trojan that, once installed on a system, starts secretly mining cryptocurrency to generate profit for its author.
• N0f1l3: an info-stealer trojan that can extract and steal data from infected computers. Capabilities include the ability to steal browser passwords, cryptocurrency wallet configuration files, Filezilla FTP credentials, and specific files stored on a user’s desktop.
• LoaderBot: a trojan that can be used to infect victims in a first stage and then deploy other malware on-demand during a second stage (aka a “loader”).

The French security researcher said 1ms0rry sold his malware strains on Russian-speaking hacker forums and that some of his creations were also eventually used to create even more powerful malware strains, such as Bumblebee (based on the 1ms0rry-Miner), FelixHTTP (based on N0f1l3), and EnlightenedHTTP and the highly popular Evrial (which shared some code with 1ms0rry’s creations).

The 2018 report also exposed 1ms0rry’s real-world identity as a talented young programmer from the city of Vladikavkaz, who at one point even received praises from local authorities for his involvement in the cyber-security field.

However, the young programmer made a major mistake by allowing his malware to infect Russian users.

It is no mystery by this point that Russian authorities will turn a blind eye to cybercrime operations as long as cybercriminals don’t target Russian citizens and local businesses.

For the past decade, Russian cybercrime groups have gone unpunished for operations carried out outside of Russia’s borders, with Russian officials declining to extradite Russian hackers despite repeated indictments by US authorities.

Today, all major Russian-speaking hacking forums and black market sites make it very clear in their rules that members are forbidden from attacking users in the former Soviet space, knowing that by not attacking Russian citizens, they will be left alone to operate undisturbed.

It’s because of these forum rules that a large number of malware strains today come hard-coded to avoid infecting Russian users.

However, 1ms0rry appears to have either not been aware of this rule or chose to willfully ignore it for additional profits, for which he appears to have paid the price.