Kronos Returns as Banking Trojan Attacks Ramp Up

The notorious Kronos banking Trojan that initially emerged in 2014 and then tailed off has resurfaced with new features and possibly a new name, according to researchers with Proofpoint.

The first samples of the new version of Kronos -- which may have been rebranded as "Osiris" -- were detected in the wild in April and the first use of new variant seen in a campaign in Germany in June, the researchers wrote in a post on the cybersecurity vendor's blog.

Since then, other campaigns have been discovered in Japan and Poland, with a fourth campaign still coming together.

The return of Kronos is also part of a larger trend that is seeing a ramp of banking Trojans in general during the first half of the year, possibly in response to a slowdown in the number of ransomware attacks, according to Sherrod DeGrippo, director of emerging threats at ProofPoint. (See BackSwap Banking Trojan Shows How Malware Evolves.)

"Cybercriminals tend to follow the money and simply put, banking Trojans work," DeGrippo told Security News in an email. "A banking Trojan allows threat actors to literally remove funds from a target's bank account, so the financial gain is instant. We've observed that banking Trojans are again dominating the threat landscape as the mass ransomware campaigns have tailed off recently. This could potentially be attributed to ransomware demands being less likely to be paid given the complexity of obtaining cryptocurrency and the volatility of those values."

Screenshot of fraudulent music streaming website
\r\n(Source: Proofpoint)\r\n

Kronos uses man-in-the-browser techniques and webinject rules to steal user credentials, account and other information and money through fraudulent transactions, the researchers wrote. The Trojan accesses the information by changing the web pages of financial institutions.

The most significant difference between the old version of Kronos and the latest variant is a new command-and-control (C&C) feature that uses Tor in an attempt to anonymize communications, the researchers wrote.

The delivery method for the Trojan appears to vary from campaign to campaign.

In Germany, Proofpoint researchers saw an email phishing campaign that used malicious documents purportedly sent from German financial companies and targeting Word marcros. Earlier this month, a malvertising campaign in Japan sent victims to a site containing malicious JavaScript injections, with the JavaScript then sending victims to the RIG exploit kit. That in turn distributed the SmokeLoader downloader malware.

In the Japan campaign, the researchers initially expected to see the Zeus Panda banking Trojan being used, but instead found the new version of Kronos.

In Poland this month, the campaign was propagated through a phishing effort that used malicious Word documents, such as fake invoices that contained an attachment. In the last campaign found this month, it appears that to use the .onion C&C and may be downloaded by clicking on a button that reads "Get It Now" on a website that claims to be a streaming music player.

According to the researchers, at about the same time that the samples of the new Kronos iteration were being seen, an advertisement for Osiris, a new banking Trojan, began appearing on an underground hacking forum. There are a number of similarities between Osiris and the new Kronos variant -- both are banking Trojans written in C++, both use Tor and both use Zeus-formatted webinjects, for example -- and the size is essentially the same (350KB for Osiris and 351KB for an early sample of the Kronos variant).

In addition, some of the file names in the Japan campaign made reference to Osiris.

"While these connections are speculative, they are something to keep in mind as research into this threat continues," the researchers wrote.

It's not unusual for banking Trojan malware to re-emerge with updates and changes, though "generally, it is rare to see a malware fully reappear as Kronos has, especially when the source code of the malware isn't known to be public," Proofpoint’s DeGrippo said. "These kinds of improvements or changes [seen in Kronos] are typical for malware, but this is a long development cycle at 4 years. Threat actors have shown a lot of creativity and an ability to evolve their malware to meet their needs and accomplish their end goals. Often this means updates, new versions, new features, new targeting, and constant development of the malware."

Kronos got extra attention with its link to security researcher Marcus Hutchins, who rose to fame last year for discovering the simple method for shutting down the WannaCry ransomware. Later in the 2017, Hutchins was arrested, accused of writing the Kronos malware in 2014 and selling it on the AlphaBay dark site a year later. (See WannaCry Hero in FBI Custody.)

DeGrippo said banks are working to protect themselves and customers against Trojans like Kronos. Some use two-factor authentication, though many banking Trojans hijack existing authenticated connections.

"They wait for the user to authenticate successfully, then use that already-approved session to transfer money," he said. "Some banks have deployed out of band confirmation of money transfers as a helpful safeguard, where a secondary authentication session is required to add a new payee."

He said business users and consumers should use up-to-date antivirus software, updated operating systems and email gateways solutions that inspect attachments and links that are found in the body of emails. Emails are the most common method for transmitting malware, particularly banking Trojans, DeGrippo said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.