Malware Creator Admits to Building and Selling LuminosityLink RAT
19.7.18 securityweek Virus
A Kentucky man admitted in a U.S. court to developing and distributing the remote access Trojan known as LuminosityLink.
21-year-old Colton Ray Grubbs of Stanford, Kentucky, pleaded guilty to developing the malware and selling it to thousands of people, knowing it would be used for computer intrusion, according to court documents.
Also known as Luminosity, the LuminosityLink RAT was first spotted in April 2015, providing its users with surveillance capabilities such as remote desktop and webcam and microphone access; a smart keylogger that could target specific programs; a crypto-currency miner; and distributed denial of service (DDoS) features.
In early February 18, Europol and the UK’s National Crime Agency (NCA) announced an operation specifically targeting the sellers and users of Luminosity, but security researchers revealed soon after that the malware itself had been retired for over half a year.
According to the plea agreement obtained by investigative journalist Brian Krebs (PDF), Grubbs, who used the online handle of KFC Watermelon, admitted to have designed and sold LuminosityLink at $39.99 to over 6,000 customers between April 2015 and July 2017.
The malware was being distributed via the luminosity.link website and through the HackForums.net forum. Although he claimed the tool had legitimate purposes, being designed for system administration, the developer was touting capabilities that would allow potential customers to access and control systems without the legitimate owners’ knowledge or permissions.
According to the document filed in court, the hacker emphasized that the malware could be installed remotely without notification, as well as its keylogging and surveillance capabilities, file exfiltration functionality, the ability to steal login credentials, crypto-mining and DDoS features, and the ability to prevent detection and removal attempts from anti-malware software.
The document also claims that Grubbs was offering free support to customers, sending private messages to respond to “questions about accessing and controlling victim computers without authorization or detection.” He also admitted to recruiting other people to sell the malware as affiliates.
In July 2017, after learning the Federal Bureau of Investigation would raid his apartment, Grubbs warned the PayPal user who was collecting LuminosityLink payments, asked his roommate to hide a laptop in his car, and also concealed a debit card associated with his Bitcoin account and a phone storing his Bitcoin information.
“Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses,” the plea agreement reads.
Overall, the hacker pleaded guilty to three counts, two of which carry maximum sentences of 5 years in prison and a fine of up to $250,000 each, while the third carries a maximum sentence of 20 years in prison and a fine of no more than $500,000.