Version 2.0.0.0 of a toolkit for the banking Trojan known as KINS was leaked last month, researchers revealed on Sunday.
According to the MalwareMustDie research group, which learned of the leaked files on June 26, the package includes the KINS 2.0.0.0 builder and the source code for the control panel. The package has been widely distributed on the Web, giving cybercriminals the means to generate new malware and control their botnets.
Researchers have pointed out that the developers of the malware builder call the tool “KINS Builder.” However, the binaries generated by it actually appear to be versions of the banking malware called ZeusVM. The malware generated by the builder is completely different from previous KINS versions.
Experts say this shows that KINS developers have integrated ZeusVM technology into their creation.
One of the features borrowed by KINS from ZeusVM is the use of steganography, the practice of concealing a file or message within another file or message. In the case of KINS/ZeusVM, the malware’s configuration data is hidden in a .JPG image file.
MalwareMustDie researchers are providing the KINS toolkit package through private channels to other experts and security firms that want to analyze the threat.
In the meantime, the malware crusaders have teamed up with the French researcher known as Xylit0l and the Japanese researcher known as unixfreaxjp to prevent the toolkit from being distributed. They have managed to remove the package from several websites, but the files have been made available on too many sites.
Experts believe that the leak will lead to more botnets powered by KINS/ZeusVM 2.0.0.0.
MalwareMustDie also revealed that it has spotted ads on cybercrime forums for version 3 of KINS. According to researchers, the malware has been sold for $5,000.
MalwareMustDie has published videos, technical details, and code for the leaked KINS toolkit.
*Updated. The original version of the story incorrectly stated that the source code for both the builder and the control panel was made available. Only the source code for the control panel has been leaked.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
