Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

7/27/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kronos Returns as Banking Trojan Attacks Ramp Up

Proofpoint researchers have seen a new version of the four-year-old Kronos emerge in campaigns in Europe and Japan. The report also finds it may be rebranded as 'Osiris.'

The notorious Kronos banking Trojan that initially emerged in 2014 and then tailed off has resurfaced with new features and possibly a new name, according to researchers with Proofpoint.

The first samples of the new version of Kronos -- which may have been rebranded as "Osiris" -- were detected in the wild in April and the first use of new variant seen in a campaign in Germany in June, the researchers wrote in a post on the cybersecurity vendor's blog.

Since then, other campaigns have been discovered in Japan and Poland, with a fourth campaign still coming together.

The return of Kronos is also part of a larger trend that is seeing a ramp of banking Trojans in general during the first half of the year, possibly in response to a slowdown in the number of ransomware attacks, according to Sherrod DeGrippo, director of emerging threats at ProofPoint. (See BackSwap Banking Trojan Shows How Malware Evolves.)

"Cybercriminals tend to follow the money and simply put, banking Trojans work," DeGrippo told Security News in an email. "A banking Trojan allows threat actors to literally remove funds from a target's bank account, so the financial gain is instant. We've observed that banking Trojans are again dominating the threat landscape as the mass ransomware campaigns have tailed off recently. This could potentially be attributed to ransomware demands being less likely to be paid given the complexity of obtaining cryptocurrency and the volatility of those values."

Screenshot of fraudulent music streaming website\r\n(Source: Proofpoint)\r\n
Screenshot of fraudulent music streaming website
\r\n(Source: Proofpoint)\r\n

Kronos uses man-in-the-browser techniques and webinject rules to steal user credentials, account and other information and money through fraudulent transactions, the researchers wrote. The Trojan accesses the information by changing the web pages of financial institutions.

The most significant difference between the old version of Kronos and the latest variant is a new command-and-control (C&C) feature that uses Tor in an attempt to anonymize communications, the researchers wrote.

The delivery method for the Trojan appears to vary from campaign to campaign.

In Germany, Proofpoint researchers saw an email phishing campaign that used malicious documents purportedly sent from German financial companies and targeting Word marcros. Earlier this month, a malvertising campaign in Japan sent victims to a site containing malicious JavaScript injections, with the JavaScript then sending victims to the RIG exploit kit. That in turn distributed the SmokeLoader downloader malware.

In the Japan campaign, the researchers initially expected to see the Zeus Panda banking Trojan being used, but instead found the new version of Kronos.

In Poland this month, the campaign was propagated through a phishing effort that used malicious Word documents, such as fake invoices that contained an attachment. In the last campaign found this month, it appears that to use the .onion C&C and may be downloaded by clicking on a button that reads "Get It Now" on a website that claims to be a streaming music player.

According to the researchers, at about the same time that the samples of the new Kronos iteration were being seen, an advertisement for Osiris, a new banking Trojan, began appearing on an underground hacking forum. There are a number of similarities between Osiris and the new Kronos variant -- both are banking Trojans written in C++, both use Tor and both use Zeus-formatted webinjects, for example -- and the size is essentially the same (350KB for Osiris and 351KB for an early sample of the Kronos variant).

In addition, some of the file names in the Japan campaign made reference to Osiris.

"While these connections are speculative, they are something to keep in mind as research into this threat continues," the researchers wrote.

It's not unusual for banking Trojan malware to re-emerge with updates and changes, though "generally, it is rare to see a malware fully reappear as Kronos has, especially when the source code of the malware isn't known to be public," Proofpoint’s DeGrippo said. "These kinds of improvements or changes [seen in Kronos] are typical for malware, but this is a long development cycle at 4 years. Threat actors have shown a lot of creativity and an ability to evolve their malware to meet their needs and accomplish their end goals. Often this means updates, new versions, new features, new targeting, and constant development of the malware."

Kronos got extra attention with its link to security researcher Marcus Hutchins, who rose to fame last year for discovering the simple method for shutting down the WannaCry ransomware. Later in the 2017, Hutchins was arrested, accused of writing the Kronos malware in 2014 and selling it on the AlphaBay dark site a year later. (See WannaCry Hero in FBI Custody.)

DeGrippo said banks are working to protect themselves and customers against Trojans like Kronos. Some use two-factor authentication, though many banking Trojans hijack existing authenticated connections.

"They wait for the user to authenticate successfully, then use that already-approved session to transfer money," he said. "Some banks have deployed out of band confirmation of money transfers as a helpful safeguard, where a secondary authentication session is required to add a new payee."

He said business users and consumers should use up-to-date antivirus software, updated operating systems and email gateways solutions that inspect attachments and links that are found in the body of emails. Emails are the most common method for transmitting malware, particularly banking Trojans, DeGrippo said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-39220
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended ...
CVE-2021-39221
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due th...
CVE-2021-41176
PUBLISHED: 2021-10-25
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted at...
CVE-2021-34854
PUBLISHED: 2021-10-25
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within ...
CVE-2021-34855
PUBLISHED: 2021-10-25
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exi...