It has been revealed that five people arrested last month as part of a joint operation between police in Norway and Europol were behind the MegalodonHTTP remote access trojan.

The operation, dubbed OP Falling sTAR, arrested the men and charged them with possessing, using and selling malware, including RATs (remote access trojans).

The operation was conducted in cooperation with IT security firm Damballa. The firm said that the arrested men were located in various European countries.

According to Damballa's threat researcher Loucif Kharouni, the firm's threat discovery centre “worked in cooperation with the Norwegian police over the last few months to track and identify the author of the malware called MegalodonHTTP”.

“We are not at liberty to divulge the MegalodonHTTP author's real identity, but we can confirm that the person behind the handle Bin4ry is no longer active or doing business,” he said in a blog post.

The firm explained in November how the Trojan worked. According to researchers, the malware was “not very powerful” and “requires that .NET is installed on a device to run properly”.

“This malware is sold on HackForum. Some criminals would refer to it as skid malware, or script kiddies, but its low price makes it attractive for others.”

The malware includes features  such as download and execute, seven DDOS methods (UDP, HTTP Flood, SYN, NTP, XML-RPC Pingback, Slowloris and A.R.M.E.), remote shell,
crypto miner, botkill and an AV killer.

James Maude, senior security engineer at endpoint security software firm Avecto, told that the point here is that malware often doesn't need to be particularly sophisticated or clever to work. “Most organisations rely on detection based solutions so all the malware needs to be is unique,” he said.

“Even with a low level of technical skill it is possible to build a malware platform that can be sold to cyber-criminals. This particular malware product sold for between $35 and $100 [£24-£69], a price that reflected its quality. The more advanced exploit kits cost $700 [£480] per month upwards and require personal recommendations to even gain access to the marketplace,” he said.

“Even if this malware only works once, it could be used to launch ransomware that could net the criminals $350 [£240] or more, so the risk is low and the rewards are high.”

Chris Boyd, malware intelligence analyst at Malwarebytes, told SC that the downside for hackers writing with .NET is it is often easy to catch with security tools that are on the lookout for common .NET functionality.

“You'll typically see lots of .NET malware floating around on script kiddy forums, much of it poorly written and broken. While Megalodon appears to be more competent than most, offering wares on forums is a great way to get yourself caught no matter how stealthy you think you're being. For the probable low financial gains they likely made from forum sales, it really isn't worth the end-result of being hauled off by the police,” he said.

Paul Ducklin, senior technologist at Sophos, told SC that .NET is just a programming tool and any language that is easy to learn, easy to use, and well-equipped to interact with the operating system is going to be popular with programmers.

“And languages that work well for legitimate programs are likely to work just as well for the crooks. Ironically, the crooks are likely to find their work easier, given that popular languages are surrounded by supportive communities and heaps of good-quality sample code and add-on libraries,” he said.

David Kennerley, senior manager for Threat Research at Webroot, told SC that seasoned cyber-criminals have access to their own tools or are able to acquire tools with far greater capabilities than MegalodonHTTP. 

If they have a well-positioned malware delivery method available – such as exploit or phishing – they are unlikely to accept failure due to .NET issues.

“That being said, with the low price there will always be customers willing to take a shot on services such as this – especially those without the necessary coding skills to do it themselves.  You're not going to take Amazon down with this offering, but when fully operational, the admin still has credible options available – from smaller DDoS attacks to the installation of further malware variants.”