by Trend Micro’s Forward-Looking Threat Research Team
On January 15, Goncalo Esteves from Essex, UK plead guilty on 3 charges of computer offenses under UK law:
- 2 charges against Section 3A of the Computer Misuse Act 1990 (Making/adapting/supplying an article intended for use/to assist in the commission of a section 1 or 3 Computer Misuse offense)
- 1 charge against Section 327(1) and Section 334 of the Proceeds of Crime Act 2002 (Concealing/disguising/converting/transferring/removing criminal property)
This was the result of a collaborative investigation that Trend Micro and the National Crime Agency (NCA) in the United Kingdom initiated back in 2015, when the two organizations signed a Memorandum of Understanding (MOU) to work together in the fight against cybercrime. This collaboration is not restricted to this case alone, with Trend Micro actively continuing to assist the UK, as well as other international law enforcement partners, in their fight against cybercrime.
Esteves was responsible for the creation of the crypting service Cryptex Reborn and Cryptex Lite, for which he was charged and found guilty. In addition to these, he operated the website reFUD.me, a popular Counter AntiVirus (CAV) service. While not malware themselves, both of these tools were key components that support large underground business models of a number of cybercrime groups.
Both versions of Cryptex are examples of crypting services. They take a particular program—almost always malware—and modify it to attempt to bypass the detection engines of the major antivirus companies. Such modified malware is generally referred to as FUD (Fully UnDetectable). However, this approach primarily focuses on older signature-based scan engines some security solutions use, being substantially less effective against modern cross-generational blends of connected threat defense techniques such as those used in Trend Micro’s XGen solutions. The tool was simply called “Crytpex” in 2011 before branching into the full (Reborn) and limited feature (Lite) versions, with Cryptex Reborn sold for $20 per month or a lifetime offering of $90.
reFUD.me was a Counter Antivirus (CAV) service. Such services allow users to upload a sample they want scanned, and the sample will then be tested for detection against 30-40 of the best-known AV companies’ products.
Cybercriminals can use such services to ensure as few companies as possible detect their malware before deploying it against their targets (again, only based on signature scanning engines). Note that several other multi-scanner services exist, however, a key difference with reFUD.me is that all sharing of samples or feedback data with the various AV companies are disabled. This makes it more useful for anyone concerned with those same AV companies detecting the files they upload.
In this particular case, not only were two key enablers of criminal activity removed from the internet, but also we hope the conviction sends a strong message to those who provide such tools to support cybercrime. They should realize that they are no more immune from justice than the malware creators themselves.
For us, this is a continuation of Trend Micro’s long-term commitment to work with international law enforcement against those behind cybercrime, to help achieve our goal of making the world safe for the exchange of digital information. On a more personal note, this case all began in mid-2015 with our CTO Raimund Genes signing the MOU with the NCA. Raimund passed away last year, but we’d like to think that he’s proud of the impact this partnership is making.