Romanian police forces have arrested on Thursday two individuals suspected of running three online services meant to aid malware development and distribution.
The arrests are part of a joint operation that included the FBI, Europol, Australian, and Norwegian police.
Investigators said the two Romanian suspects are believed to be the creators of three services named CyberSeal, DataProtector, and CyberScan.
The first two are so-called “crypter” services. These types of tools allow malware developers to scramble their malware’s code to bypass and evade antivirus software.
The third service, called CyberScan, worked as a clone of Google’s VirusTotal service. It allowed malware authors to upload and scan their new malware releases and see if it would be detected by antivirus software.
The difference between CyberScan and VirusTotal was that CyberScan didn’t share scan results with antivirus vendors, allowing malware authors to test the detectability of their payloads without having to fear that a “detection alert” would be sent back to the antivirus company and trigger an investigation.
The two suspects had been active on the malware scene since at least 2014 when they first began advertising CyberSeal. The two other services were launched in 2015 (DataProtector) and 2019 (CyberScan).
All three were advertised on multiple hacking forums for prices ranging from $40 to $150.
Europol said the three tools have often been used to crypt and test different types of malware, such as RATs (Remote Access Trojans), information stealers, and ransomware.
More than 1,560 malware authors used the two crypting services to scramble the code of more than 3,000 malware strains.
Authorities cracked down against the gang yesterday, Thursday, November 19, when they searched four locations in the cities of Bucharest and Craiova in Southern Romania and made the two arrests.
According to Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT), two other persons were also questioned, believed to be part of the group.
Investigators also took down servers in Romania, Norway, and the US. The cyber-seal.org and cyberscan.org domains, used to host two of the services, are now offline.