This article is more than 1 year old

FireEye intern nailed in Darkode downfall was VXer, say the Feds

'Helped improve detection capabilities' while allegedly selling badass trojan toolkit

A former intern at security company FireEye has been arrested for creating and selling the slick and sophisticated Dendroid malware program after being caught in a global police sting that obliterated the Darkode cybercrime forum.

Prosecutors say that Morgan Culbertson, 20, of Pittsburgh, was most recently working as a whitehat anti-malware professional at the security giant while also building and selling Dendroid, a product which the company would label its chief enemy.

The alleged hacker sold the toolkit for $300 and its source code for $65,000 on the Darkode forum.

He was arrested in the global sting, codenamed Operation Shrouded Horizon, along with a total of 70 administrators and members – who included four Britons netted from 20 countries.

Culbertson said on his LinkedIn profile - which, according to Forbes, was confirmed as being his by the US attorney for the Western District of Pennsylvania - that he completed a 12 week FireEye internship as part of the Advanced Persistent Threat team, serving as mobile threat researcher.

"I improved Android malware detection by discovering new malicious malware families and using a multitude of different tools, automation techniques and decompiling analysis heuristics," Culbertson wrote.

The irony of this work is that it would have assisted Culbertson in making life tougher for his rival VXers while granting him access to new ways to evade anti-virus detection.

FireEye said in a statement to Forbes that Culbertson had been suspended from future work at the company.

The FBI said Culbertson, also known by the hacker handle Android, was charged with conspiring to send malicious code:

He is accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones. The malware was allegedly offered for sale on Darkode.

No Australians are named in the sting; however, the Australian Federal Police told Vulture South that they are speaking to a 22 year-old Victorian man in relation to the Darkode operation.

"The AFP can confirm officers have spoken with a 22 year-old man from Victoria in relation to this matter. Enquiries remain ongoing," a spokesperson said.

Dendroid is a sophisticated toolkit allowing thieves to evade Google's Play Store security controls dubbed Bouncer by using anti-emulation to prevent execution of malcode.

"Dendroid offers a full command and control infrastructure with a control panel every bit as feature rich as some of the more sophisticated Russian botnets," Lookout Security researcher Marc Rogers said in an analysis published last year.

More about


Send us news

Other stories you might like