Researchers have uncovered a new professional-grade banking Trojan that could soon rival Zeus, SpyEye and Citadel in how effectively it spreads.
Dubbed KINS, the new banking Trojan has several features in common with Zeus and SpyEye, as well as having a similar DLL-plugin-based architecture, Limor Kessem, a cybercrime and online fraud communications specialist at RSA, wrote Tuesday on the RSA FraudAction Research Labs blog. It is spread using popular exploit packs such as Neutrino, one of the most sophisticated toolkits currently available.
KINS has a bootkit capability and can infect the computer from a much deeper level, at its volume boot record (VBR), and can “easily infect” machines running Windows 8 and other 64-bit operating systems.
A vendor in a closed Russian-speaking online forum announced the open sale of the Trojan this month, Kessem said. A standard version of the Trojan is available for $5,000 in Web Money and additional plug-ins, such as the Anti-Rapport module, is available for $2,000.
There was a “growing appetite” in the criminal underground for a “new ‘real’ banking malware in the online fraud arena,” Kessem said. Underground chatter indicated the criminals would “eagerly welcome a new developer and jointly finance a banker project,” provided it was commercially available, easy to use, and have quality technical support, according to the post. With Citadel going off the semi-open market in December and Zeus and SpyEye not being as active in recent year, the cyber-criminals “have been scrambling to find a replacement,” she said.
“It is not surprising that KINS’ developer is being ushered into the Russian-speaking cybercrime community with much enthusiasm, commended for his decision to make KINS commercial and share it the old-fashioned way,” Kessem said.
The developer also seems to have learned some lessons from the previous Trojans. KINS avoids Trojan trackers, a problem that plagued SpyEye. Much like SpyEye, KINS is compatible with Zeus Web injections and will work over the remote desktop protocol.
Zeus soared to popularity because it was a full kit, and wanna-be criminals didn’t need a lot of technical savvy to be able to create their own Trojan variants and put together attack campaigns. KINS also does not require technical savvy, which would likely encourage its popularity.
RSA fraud intelligence researchers have been seeing hints about Kins since early February, according to the post. There were rumors during development that Kins was associated with Citadel, although those rumors were squashed pretty quickly. However, like Citadel, KINS will not infect Russian or Ukranian-language systems, Kessem said. If the malware detects either language specifications on the targeted machine, Kins would terminate.
“With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality,” Kessem said.