Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/26/2018
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Kronos Banking Trojan Resurfaces

Re-emergence of malware consistent with overall surge in banking malware activity this year, Proofpoint says.

Like a bad penny, the notorious Kronos banking Trojan has turned up again after disappearing from the threat landscape for well more than a year.

Security vendor Proopoint this week said it had recently observed a new variant of Kronos being used in separate campaigns against users in Germany, Japan, and Poland. A fourth campaign involving the malware appears to be in the works and is currently being tested.

The new variant is very similar to older versions except for the fact that it now uses the Tor anonymizing network for hiding its command-and-control (C&C) server.

Otherwise, the new version uses the same Windows API hashing techniques and hashes, encryption technique, C&C encryption mechanism, Zeus webinject format, and C&C panel layout. The new malware even includes a self-identifying string labeling it as Kronos.

The sudden reappearance is consistent with a broader resurgence in malicious activity involving banking Trojans so far this year, says Sherrod DeGrippo, director of emerging threats at Proofpoint. "We can only speculate on the reasons for the disappearance [of Kronos], but banking Trojans have come to dominate the threat landscape over the first half of 2018," she says.

One reason could be that ransomware has fallen out of favor among cybercriminals because of the volatility in prices of the cryptocurrencies used to make ransom payments, DeGrippo notes. Development activity around banking Trojans has surged even as threat actors' interest in ransomware has declined.

According to Proofpoint, a recent advertisement in an underground forum suggests that the authors of the latest Kronos variant are attempting to pass it off as a new banking Trojan dubbed Osiris. The description for Osiris — including the fact that it is written in C++, has keylogging and form-grabbing capabilities, and uses Tor and Zeus-formatted webinjects — suggests that the malware is simply the latest Kronos variant with a new name.

"This is essentially a rebranding of the old version of Kronos," DeGrippo says. "The use of Tor is really the only new feature of significance."

Kronos first surfaced in 2014 and is designed to steal the credentials and other information people use to log into their online banking accounts. The malware uses man-in-the-browser (MITB) techniques and webinjects to stealthily modify the Web pages of the financial institution a user might be attempting to log into in order to grab that person's credentials and later use it to steal money from the account.

The FBI has accused British security researcher Marcus Hutchins — the individual credited with stopping the WannaCry outbreak last year — of developing Kronos and distributing it to others between 2014 and 2015. Hutchins was arrested in August 2017 and is currently awaiting trial in the US on charges related to this and another malware kit dubbed Upas.

Kronos is similar to several other successful banking Trojans in many ways. But it does appear to have a habit of re-emerging every now and then, DeGrippo says. "Like Dridex, Zeus, Ursnif, and other bankers with substantial staying power, it comes down to malware authors and threat actors who are willing to invest in development and maintenance, as well as distribution and configuration of injects," she says.

The campaigns in Germany, Poland, and Japan that Proofpoint recently observed all involve the new Kronos variant but use slightly different techniques to infect end user systems. In Germany, users are being targeted via emails purporting to be from financial companies and seemingly pertaining to account updates and other accounts reminders. The emails contain Word documents with malicious macros that, if enabled, download the new Kronos variant.

The campaign in Japan has involved the use of a malvertising chain to send victims to a site with malicious JavaScript injections that redirect them to the RIG exploit kit, which then dumps the new Kronos variant on their systems. Polish users, meanwhile, are being targeted with emails containing a malicious attachment that, when executed, exploits CVE-2017-11882, a memory corruption issue in Microsoft Office, to download Kronos. Like the campaign in Germany, the emails in Poland come with subject headers designed to fool recipients into opening the attachments.

Banking Trojans are very hard for banks themselves to address since the malware operates on the client side and typically uses MITB-style attacks, DeGrippo says.

Much of the onus must fall on individuals to prevent infection in the first place. "While banks can implement two-factor authentication for some degree of protection, even this is not a panacea for modern, sophisticated banking Trojans and is often considered too burdensome by consumers," she says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...