Security Experts:

Kronos: New Financial Malware Sold on Russian Underground Forum

Malware developers have recently started advertising a new banking Trojan on a Russian cybercrime forum, researchers from Trusteer reported on Friday.

The malware, dubbed "Kronos," costs $7,000, but its creators are giving potential customers the opportunity to conduct one-week tests for the price of $1,000, which includes full access to the command & control (C&C) server and to all of the Trojan's capabilities, the IBM security company said.

Trusteer researchers noted that coincidence or not, in Greek mythology, Kronos is the father of Zeus.

The creators of Kronos promise a lifetime product license, and free updates and bug fixes for those who pay the $7,000, amount which can be paid via Bitcoin, Perfect Money, WMZ, and the Bitcoin/Litecoin exchange BTC-E.  While updates and bug fixes are free of charge, customers will have to separately acquire newly created modules, the malware creators explained in a forum post. When Trusteer stumbled upon the offer, the threat wasn't released yet and its authors were promising pre-release discounts.

Similar to other banking Trojans, Kronos comes with form-grabbing and HTML injection capabilities that are allegedly compatible with both the latest and most older versions of Chrome, Firefox and Internet Explorer Web browsers. 

"In addition, the HTML injection mechanism is compatible with Zeus. Because Zeus is the most widely deployed malware, and it is likely that potential clients have used or still use Zeus variants, the authors of Kronos made sure that the HTML injection files used by Zeus operators can be easily implemented with Kronos," Etay Maor, a senior fraud prevention strategist at Trusteer, wrote in a blog post.

The Trojan also supposedly runs on both 32-bit and 64-bit systems and includes rootkit capabilities that make it stealthier and protect it against other pieces of malware. Kronos is also designed to evade antivirus solutions, by using what its authors call an undetected injection method, and sandboxes. Communications between bots and the C&C server are encrypted, the developers said.

 Trusteer researchers point out that they haven't performed an analysis of the threat. All the information provided is based on the posts published on an underground forum by the malware developers. It remains to be seen if this new Trojan is legitimate and will be widely adopted by cybercriminals considering that it's currently marketed as one of the most expensive pieces of malware.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.