Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Kronos Returns as Banking Trojan Attacks Ramp Up

Proofpoint researchers have seen a new version of the four-year-old Kronos emerge in campaigns in Europe and Japan. The report also finds it may be rebranded as 'Osiris.'

The notorious Kronos banking Trojan that initially emerged in 2014 and then tailed off has resurfaced with new features and possibly a new name, according to researchers with Proofpoint.

The first samples of the new version of Kronos -- which may have been rebranded as "Osiris" -- were detected in the wild in April and the first use of new variant seen in a campaign in Germany in June, the researchers wrote in a post on the cybersecurity vendor's blog.

Since then, other campaigns have been discovered in Japan and Poland, with a fourth campaign still coming together.

The return of Kronos is also part of a larger trend that is seeing a ramp of banking Trojans in general during the first half of the year, possibly in response to a slowdown in the number of ransomware attacks, according to Sherrod DeGrippo, director of emerging threats at ProofPoint. (See BackSwap Banking Trojan Shows How Malware Evolves.)

"Cybercriminals tend to follow the money and simply put, banking Trojans work," DeGrippo told Security News in an email. "A banking Trojan allows threat actors to literally remove funds from a target's bank account, so the financial gain is instant. We've observed that banking Trojans are again dominating the threat landscape as the mass ransomware campaigns have tailed off recently. This could potentially be attributed to ransomware demands being less likely to be paid given the complexity of obtaining cryptocurrency and the volatility of those values."

Kronos uses man-in-the-browser techniques and webinject rules to steal user credentials, account and other information and money through fraudulent transactions, the researchers wrote. The Trojan accesses the information by changing the web pages of financial institutions.

The most significant difference between the old version of Kronos and the latest variant is a new command-and-control (C&C) feature that uses Tor in an attempt to anonymize communications, the researchers wrote.

The delivery method for the Trojan appears to vary from campaign to campaign.

In Germany, Proofpoint researchers saw an email phishing campaign that used malicious documents purportedly sent from German financial companies and targeting Word marcros. Earlier this month, a malvertising campaign in Japan sent victims to a site containing malicious JavaScript injections, with the JavaScript then sending victims to the RIG exploit kit. That in turn distributed the SmokeLoader downloader malware.

In the Japan campaign, the researchers initially expected to see the Zeus Panda banking Trojan being used, but instead found the new version of Kronos.

In Poland this month, the campaign was propagated through a phishing effort that used malicious Word documents, such as fake invoices that contained an attachment. In the last campaign found this month, it appears that to use the .onion C&C and may be downloaded by clicking on a button that reads "Get It Now" on a website that claims to be a streaming music player.

According to the researchers, at about the same time that the samples of the new Kronos iteration were being seen, an advertisement for Osiris, a new banking Trojan, began appearing on an underground hacking forum. There are a number of similarities between Osiris and the new Kronos variant -- both are banking Trojans written in C++, both use Tor and both use Zeus-formatted webinjects, for example -- and the size is essentially the same (350KB for Osiris and 351KB for an early sample of the Kronos variant).

In addition, some of the file names in the Japan campaign made reference to Osiris.

"While these connections are speculative, they are something to keep in mind as research into this threat continues," the researchers wrote.

It's not unusual for banking Trojan malware to re-emerge with updates and changes, though "generally, it is rare to see a malware fully reappear as Kronos has, especially when the source code of the malware isn't known to be public," Proofpoint’s DeGrippo said. "These kinds of improvements or changes [seen in Kronos] are typical for malware, but this is a long development cycle at 4 years. Threat actors have shown a lot of creativity and an ability to evolve their malware to meet their needs and accomplish their end goals. Often this means updates, new versions, new features, new targeting, and constant development of the malware."

Kronos got extra attention with its link to security researcher Marcus Hutchins, who rose to fame last year for discovering the simple method for shutting down the WannaCry ransomware. Later in the 2017, Hutchins was arrested, accused of writing the Kronos malware in 2014 and selling it on the AlphaBay dark site a year later. (See WannaCry Hero in FBI Custody.)

DeGrippo said banks are working to protect themselves and customers against Trojans like Kronos. Some use two-factor authentication, though many banking Trojans hijack existing authenticated connections.

"They wait for the user to authenticate successfully, then use that already-approved session to transfer money," he said. "Some banks have deployed out of band confirmation of money transfers as a helpful safeguard, where a secondary authentication session is required to add a new payee."

He said business users and consumers should use up-to-date antivirus software, updated operating systems and email gateways solutions that inspect attachments and links that are found in the body of emails. Emails are the most common method for transmitting malware, particularly banking Trojans, DeGrippo said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.