Dutch police arrest suspected hacker behind Rubella and Dryad malware

News by Rene Millman

The Dutch National Police Unit has arrested a hacker suspected of large-scale production and selling of malware such as Rubella and Dryad, aided by private companies including McAfee.

The Dutch National Police Unit has arrested a hacker suspected of large-scale production and selling of malware such as Rubella and Dryad. The individual was active on hacker forums under various names. Eventually, these names were traced to the suspect, who was arrested at his computer. 
According to a statement by the police, the man offered programs with names such as Rubella, Cetan and Dryad, enabling the buyer to include secret code or malware in amongst Word or Excel files.
The suspect was active at hackers’ forums under various names. Eventually all these names could be traced to the man from Utrecht who was arrested sitting at his computer. The police said  they were helped in tracing the man thanks to investigations by two private companies, including the cyber-security company McAfee.
According to police, the suspect developed and supplied - amongst others - the macro builder Rubella, selling it for prices ranging from a couple of hundred to thousands of euros. A macro builder is a toolkit designed to include fragments of hidden code to widely used Office documents such as Excel and Word. Upon opening of such an infected documents, the hidden code would be executed. This code could, among other things surreptitiously download malware or start a program on the device. The macro builder would design the documents in such a way that they would not usually be detected by a virus scanner.
The suspect was found in possession of data concerning dozens of credit cards and manuals on carding, a type of credit card fraud. The young man also had access to credentials for thousands of websites. It is not known what he was planning to do with these, police said.
The suspect has collected some €20,000 in cryptocurrency such as bitcoins, which were seized by police. A confiscation order will be issued in due course.
Police said that further investigations will be made. The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.
In a blog post, John Fokker, head of Cyber Investigations at McAfee, said that toolkits that build weaponised Office documents, such as Dryad and Rubella, cater to the increasing cyber-criminal demand for this type of infection vector. 
"With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. Based on his activity, the suspect looked like quite the cyber-criminal entrepreneur, but given his young age this is also a worrisome thought," he said.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that it’s always unfortunate when you hear of talented young minds being drawn down criminal paths. "While making quick money is certainly a draw, sometimes it's down to lack of opportunities or awareness of opportunities. It would make sense if technology firms could partner with local police outreach programmes which tackle issues like preventing young children from joining gangs, to do similar activities in showcasing the vast potential that awaits by following a legitimate career," he said. 
Tommy DeVoss, ethical hacker at HackerOne, told SC Media UK that he thought  the best way to educate the younger generation is to show them the benefits of becoming a white hat hacker. He added that this is "a career which presents the same opportunity for fame, notoriety, and money as being a black hat, without the risk of going to prison."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews