Security Experts:

KINS Malware Toolkit Leaked Online

Version 2.0.0.0 of a toolkit for the banking Trojan known as KINS was leaked last month, researchers revealed on Sunday.

According to the MalwareMustDie research group, which learned of the leaked files on June 26, the package includes the KINS 2.0.0.0 builder and the source code for the control panel. The package has been widely distributed on the Web, giving cybercriminals the means to generate new malware and control their botnets.

Researchers have pointed out that the developers of the malware builder call the tool “KINS Builder.” However, the binaries generated by it actually appear to be versions of the banking malware called ZeusVM. The malware generated by the builder is completely different from previous KINS versions.

Experts say this shows that KINS developers have integrated ZeusVM technology into their creation.

One of the features borrowed by KINS from ZeusVM is the use of steganography, the practice of concealing a file or message within another file or message. In the case of KINS/ZeusVM, the malware’s configuration data is hidden in a .JPG image file.

MalwareMustDie researchers are providing the KINS toolkit package through private channels to other experts and security firms that want to analyze the threat.

In the meantime, the malware crusaders have teamed up with the French researcher known as Xylit0l and the Japanese researcher known as unixfreaxjp to prevent the toolkit from being distributed. They have managed to remove the package from several websites, but the files have been made available on too many sites.

Experts believe that the leak will lead to more botnets powered by KINS/ZeusVM 2.0.0.0. 

MalwareMustDie also revealed that it has spotted ads on cybercrime forums for version 3 of KINS. According to researchers, the malware has been sold for $5,000.

MalwareMustDie has published videos, technical details, and code for the leaked KINS toolkit.

*Updated. The original version of the story incorrectly stated that the source code for both the builder and the control panel was made available. Only the source code for the control panel has been leaked. 

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.