Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Kronos Banking Trojan Has Returned

The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn. 

The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn. 

Kronos malware was first discovered in 2014 and maintained a steady presence on the threat landscape for a few years, before largely disappearing for a while. It uses man-in-the-browser (MiTB) attacks and webinjects to modify accessed web pages and steal user credentials, account information, and other data. It can also log keystrokes and has hidden VNC functionality.

Last year, the United States Federal Bureau of Investigation said that Kronos was built and distributed by British researcher Marcus Hutchins, who goes by the online handle of MalwareTech and who is known for stopping the WannaCry ransomware attack. 

The new Kronos samples, which were observed in campaigns targeting users in Germany, Japan, and Poland, are connecting to a command and control (C&C) domain on the Tor network. There’s also speculation that the malware might have been rebranded to Osiris, but no hard evidence on this has emerged so far. 

The first campaign carrying the new Kronos samples was observed on June 27, targeting German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware and the SmokeLoader Trojan downloader was used in some cases. 

Targeting Japan, the second campaign was observed on July 13 and involved a malvertising chain. Malicious ads took users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. The downloader would then drop Kronos onto the compromised machines. 

The Poland campaign started on July 15 and involved fake invoice emails carrying malicious documents that attempted to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos. 

The Kronos samples observed in all three campaigns were configured to use .onion domains for C&C purposes. The researchers also observed that webinjects were used in the German and Japanese campaigns, but none was seen in the attacks on Poland.

Advertisement. Scroll to continue reading.

A fourth campaign observed on July 20 appeared to be work in progress. The Kronos samples were once again configured to use the Tor network and a test webinject was spotted. 

The 2018 Kronos samples feature extensive code and string overlap with the older versions, abuse the same Windows API hashing technique and hashes and the same string encryption technique, leverage the same webinject format, and feature the same C&C encryption mechanism and C&C protocol and encryption. 

The C&C panel file layout is also similar to the older variants and a self-identifying string is also present in the malware. The major change, however, is the use of .onion C&C URLs and the Tor network to anonymize communications. 

There is also some evidence to suggest that the malware might have been rebranded to Osiris (the Egyptian god of rebirth). 

The new malware is being advertised on underground forums as packing capabilities that overlap with those observed in the new version of Kronos and as having about the same size (at 350 KB), and the researchers also observed a filenaming scheme in Kronos that appears to suggest a connection with Osiris. 

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. […] While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,” Proofpoint concludes. 

Related: Code Linked to MalwareTech and Kronos Published in 2009

Related: British Researcher Pleads Not Guilty to Creating Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights