LuminosityLink spyware giving attackers total control of your PC is taken out by cops

Buyers of the nasty LuminosityLink remote-access trojan will no longer be able to use their spying tool.
Written by Liam Tung, Contributing Writer

Video: How focusing on data security can help your business

The UK's National Crime Agency says it's disabled a widely-used remote-access trojan (RAT) that was used across 78 countries and sold to over 8,600 buyers.

The RAT, dubbed LuminosityLink, surfaced in mid-2015 and was marketed as a legitimate tool for Windows administrators and business owners to "manage a large amount of computers concurrently".

Advertised features included the ability to "control your clients via Remote Desktop, Remote Webcam", automatically log keystrokes, recover passwords, and search and manage files. It was also capable of disabling antivirus and anti-malware software.

According to the Proofpoint malware researchers who discovered the RAT, Luminosity's makers probably marketed it as a legitimate business tool due to the then-recent conviction and sentencing of Alex Yucel, the author of the notorious Blackshades RAT.

NCA and Europol investigators believe there are thousands of Luminosity victims across the world. UK investigators have found evidence of stolen personal details, logon credentials, passwords, private photographs, video footage, and other data.

Free download: Intrusion detection policy

"Law-enforcement activity has now ended the availability of this tool, and it can no longer be used by those who bought it," the NCA said in statement.

The Luminosity RAT was considered a dangerous threat because of its features, ease of use, and low cost. Anyone with the inclination to spy on victims and steal private data could do so for as little as £30.


LuminosityLink buyers could configure infected computers using this interface.

Image: Palo Alto Networks

Arrests related to Luminosity actually began in September. However, for operational reasons they were kept under wraps until today's announcements by Europol and the NCA.

Police in Europe, Australia, and the US have carried out arrests and search warrants as well as issuing cease-and-desist notifications, according to the NCA.

"Luminosity Link is an evil hacking tool that can devastate victims' lives," said David Cox, a senior investigating officer with NCA's National Cyber Crime Unit.

"Through our work with forces and international partners, the RAT is no longer available for sale and no longer works. More than 100 exhibits were seized during the UK operation which investigators are currently working through."

Researchers at Proofpoint discovered Luminosity being distributed via the Sundown exploit kit, which attacked then new Flash Player flaws as well as older Windows flaws.

The exploit kit was delivered in links in phishing email. By June 2016, Palo Alto Networks detected over 50,000 attempted LuminosityLink infections on its network, which included 18,000 unique samples of the malware.

Previous and related coverage

Microsoft: Help us kill off two banking trojans that learned from WannaCry

Microsoft warns that more and more businesses are being infected by consumer-focused banking trojans.

NjRat secures top spot as most active network malware in 2017

The most common Trojan found on today's networks is also, unfortunately, one that script kiddies delight in.

Mysterious cat-and-mouse-themed Trojan RAT is potentially dangerous, but its creators and purpose remain unclear

The highly skilled nature of the threat actors behind Felismus, and their ability to cover their tracks, means that no-one knows their identity or their target.

Evrial Trojan can steal what's saved on your Windows Clipboard, including Bitcoins (TechRepublic)

The recently discovered malware, which is available as a service, also steals passwords and documents and takes screenshots of active windows.

Editorial standards