The author of a malware strain known as the LuminosityLink RAT (Remote Access Trojan) has pleaded guilty yesterday, according to plea agreement received by Bleeping Computer.
The plea deal came as a surprise because before yesterday nobody even knew that authorities had managed to arrest the RAT's creator.
Earlier this year, in February, Europol had shut down a criminal network responsible for distributing the LuminosityLink RAT, but a Europol spokesperson did not confirm that they also arrested its creator.
But unbeknownst to everyone, US authorities had secretly arrested and searched the house of LuminosityLink's creator back in July 2017, even before Europol dismantled the network of LuminosityLink resellers.
This week, Grubbs admitted to authorities to creating the LuminosityLink RAT in April 2015, which he later sold online, mainly via the HackForums.net portal, where he used the KFC Watermelon username.
The plea agreement reveals Grubbs used the forum to sell the RAT, recruit support staff and resellers. He also ran the luminosity.link website, another place where he sold the RAT for an average price of $40.
Initially, Grubbs pleaded not guilty, as he argued that the RAT was meant to be used as a remote access/support tool, in the likes of Teamviewer and others. But US authorities say that support messages they recovered show that Grubbs knew that some LuminosityLink customers were using it for illegal purposes.
Furthermore, the plea agreement also confirms a theory put out by US cyber-security firm Palo Alto Networks, which, in February, shortly after Europol cracked down on LuminosityLink resellers, pointed out that the KFC Watermelon username had stopped posting on HackForums in July 2017, and had most likely been arrested, albeit it had no evidence of that.
The Grubbs plea agreement reveals that US authorities had raided the malware coder's home on July 10, 2017. The plea agreement also points out that things didn't go as planned for the FBI, as news of his raid leaked to Grubbs in advance, who then tried to hide evidence and stash away ill-gotten funds.
But this didn't help Grubbs too much, as US authorities had a strong case, based on information they received from their UK counterparts.
Authorities had tracked down Grubbs based on information gathered by the UK National Crime Agency (NCA) who arrested a Bristol man in September 2016, in an unrelated investigation. The Bristol man was a LuminosityLink reseller, and based on the data they found on his PC, UK officials were able to track down Grubbs and shut down the reseller network in February 2018.
Grubbs now faces a maximum prison sentence of 25 years, along with fines of up to $750,000. US officials claim that Grubbs sold his RAT to over 6,000 customers, a number that's most likely incomplete, as the NCA said the Bristol man alone sold the software to over 8,600 customers across 78 countries.
Palo Alto Networks have analyzed the features of the LuminosityLink RAT in a 2016 report, here. LuminosityLink was considered one of the top commercial RATs on the market, with a giant set of features that gave attackers full control over infected PCs, including the ability to record video, sound, take screenshots, or steal passwords.
While the official LuminosityLink RAT was shut down earlier this year, and work on the RAT stopped after Grubbs' arrest, various clones are now being peddled online, both on HackForums and other portals.