LuminosityLink website

The author of a malware strain known as the LuminosityLink RAT (Remote Access Trojan) has pleaded guilty yesterday, according to plea agreement received by Bleeping Computer.

The plea deal came as a surprise because before yesterday nobody even knew that authorities had managed to arrest the RAT's creator.

Earlier this year, in February, Europol had shut down a criminal network responsible for distributing the LuminosityLink RAT, but a Europol spokesperson did not confirm that they also arrested its creator.

But unbeknownst to everyone, US authorities had secretly arrested and searched the house of LuminosityLink's creator back in July 2017, even before Europol dismantled the network of LuminosityLink resellers.

RAT author is a 21-year-old from Kentucky

According to court documents (indictment and plea agreement), the author of the LuminosityLink RAT is named Colton Ray Grubbs, a 21-year-old man from Stanford, Kentucky.

This week, Grubbs admitted to authorities to creating the LuminosityLink RAT in April 2015, which he later sold online, mainly via the portal, where he used the KFC Watermelon username.

The plea agreement reveals Grubbs used the forum to sell the RAT, recruit support staff and resellers. He also ran the website, another place where he sold the RAT for an average price of $40.

Grubbs somehow knew he was about to get raided

Initially, Grubbs pleaded not guilty, as he argued that the RAT was meant to be used as a remote access/support tool, in the likes of Teamviewer and others. But US authorities say that support messages they recovered show that Grubbs knew that some LuminosityLink customers were using it for illegal purposes.

Furthermore, the plea agreement also confirms a theory put out by US cyber-security firm Palo Alto Networks, which, in February, shortly after Europol cracked down on LuminosityLink resellers, pointed out that the KFC Watermelon username had stopped posting on HackForums in July 2017, and had most likely been arrested, albeit it had no evidence of that.

The Grubbs plea agreement reveals that US authorities had raided the malware coder's home on July 10, 2017. The plea agreement also points out that things didn't go as planned for the FBI, as news of his raid leaked to Grubbs in advance, who then tried to hide evidence and stash away ill-gotten funds.

On July 10, 2017, after learning that the Federal Bureau of Investigation was about to perform an authorized search and seizure of his apartment, Defendant called the PayPal user collecting his LuminosityLink payments and warned him to "clean your room." Defendant gave his laptop to his roommate and asked that it be concealed in the roommate's car. Defendant concealed a debit card associated with his bitcoin account in his kitchen cabinet. Defendant concealed a phone storing his bitcoin information in his roommate's closet. Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses.

But this didn't help Grubbs too much, as US authorities had a strong case, based on information they received from their UK counterparts.

Authorities had tracked down Grubbs based on information gathered by the UK National Crime Agency (NCA) who arrested a Bristol man in September 2016, in an unrelated investigation. The Bristol man was a LuminosityLink reseller, and based on the data they found on his PC, UK officials were able to track down Grubbs and shut down the reseller network in February 2018.

Grubbs faces a maximum sentence of 25 years in prison

Grubbs now faces a maximum prison sentence of 25 years, along with fines of up to $750,000. US officials claim that Grubbs sold his RAT to over 6,000 customers, a number that's most likely incomplete, as the NCA said the Bristol man alone sold the software to over 8,600 customers across 78 countries.

Palo Alto Networks have analyzed the features of the LuminosityLink RAT in a 2016 report, here. LuminosityLink was considered one of the top commercial RATs on the market, with a giant set of features that gave attackers full control over infected PCs, including the ability to record video, sound, take screenshots, or steal passwords.

LuminosityLink GUI
LuminosityLink GUI

While the official LuminosityLink RAT was shut down earlier this year, and work on the RAT stopped after Grubbs' arrest, various clones are now being peddled online, both on HackForums and other portals.

Related Articles:

Cobalt Bank Robbers Use New ThreadKit Malicious Doc Builder

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

HackerOne Offers Free Sandboxes To Replicate Real-World Security Bugs

DOJ Indicts Two Iranian Hackers for SamSam Ransomware Operation