Five hackers arrested last month in a sting coordinated by Norway police have been revealed as running the MegalodonHTTP remote access trojan.
The Kripos-Europol operation codenamed "OP Falling sTAR" has been kept largely under wraps until security firm Damballa revealed the name of the malware involved.
The US security firm says the men located in Romania, France, and Norway were charged with possessing, using and selling malware.
"Damballa’s threat discovery center worked in cooperation with the Norwegian police over the last few months to track and identify the author of the malware called MegalodonHTTP," threat researcher Loucif Kharouni says.
"We are not at liberty to divulge the MegalodonHTTP author’s real identity, but we can confirm that the person behind the handle Bin4ry is no longer active or doing business."
@PhysicalDrive0 wow worst name ever— Loucif Kharouni (@loucif_kharouni) October 16, 2015
Researchers described in November how MegalodonHTTP was "quite simple" and had hallmarks of poor coding skills requiring .NET to be installed on infected devices.
"Usually malware authors don’t like to rely on dependencies – especially not .NET," they said.
"Despite its imposing name, MegalodonHTTP is not an advanced malware.
"The author’s goal was to create modular malware with several features but remain as small as possible, around 20Kb."
The malware sold for next to nothing on amateur hacker hangout HackForums, and on the defunct site bin4ry.com.
It sported binary downloading, distributed denial of service attack methods, remote shell, and antivirus disabling.
Passwords could be ripped from all major browsers, Filezilla FTP, Steam, and Minecraft on Windows machines.
The hacker was still selling the malware in the weeks before their arrest. Their last visit to HackForums was on 8 December, less than a week before police reported the first details of the arrest.®