Scumbag confesses in court: LuminosityLink creepware was my baby

Man admits to selling remote access malware used by morons for spying

A US software developer has admitted to selling and supporting spyware after originally claiming his remote access tool was legitimate admin software.

Colton Grubbs agreed to plead guilty to three felony charges – two counts of conspiracy, and one count of removal of property to prevent seizure – in a US federal district court in Lexington, Kentucky, in exchange for seven other charges being dropped.

Grubbs admitted on Monday to the court that his software, LuminosityLink, was being used for illegal surveillance and remote access, and that he was aware of the fact, and had actively marketed and sold the software with the intent of enabling criminals.

At its peak, LuminosityLink, which sold for $39.99, had around 6,000 customers, and could be installed on Windows PCs to spy on the machines' owners. The idea is you sneak it onto a target's computer via malicious downloads, or on an unattended PC, and so on. Once in place, the software can be remotely connected to in order to surveil the target. Perfect for screwing over spouses, partners, bosses, and other victims.

Grubbs even enlisted a small group of volunteer staff to help provide tech support for the tool's customers.

"Defendant claimed that LuminosityLink was a legitimate tool for systems administrators, but knew that many customers were using his software to remotely access and control computers without their victim's knowledge or permission," the plea deal [PDF] reads.

"Defendant's marketing emphasized these malicious features of LuminosityLink, including that it could be remotely installed without notification, record the keys that a victim pressed on their keyboard, surveil victims using their computer cameras and microphones, view and download the computer's files, steal names and passwords used to access websites, mine and earn virtual currency using victim computers and electricity, use victim computers to launch DDoS attacks against other computers, and prevent anti-malware software from detecting and removing LuminosityLink."

Fancy Bear Anonymous bear logo

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin


Additionally, Grubbs copped to hiding his hard drives, debit card, and phone from investigators when they came to search his apartment, then shifting his business' Bitcoin stash to satellite accounts, and telling one of his other support staff to hide evidence.

Though Grubbs had plead not guilty when first arraigned back in June, his lawyer indicated earlier this month that a plea deal was likely to be reached. As the deal notes, both sides agreed the feds had pretty solid evidence against the developer.

Grubbs faces up 20 years in prison (but will likely get far less) when he is sentenced in October.

Grubbs is the third developer in recent months to catch a felony rap for developing and selling tools for use by hackers. Earlier this year a court sentenced Taylor Huddlestone to 33 months for selling a remote access tool, while former college comp-sci whiz kid Zachary Shames was given a six month sentence in January for selling a keylogger out of his dorm room. ®

Similar topics

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading

Biting the hand that feeds IT © 1998–2022