Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



// // //
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Kronos Returns as Banking Trojan Attacks Ramp Up

Proofpoint researchers have seen a new version of the four-year-old Kronos emerge in campaigns in Europe and Japan. The report also finds it may be rebranded as 'Osiris.'

The notorious Kronos banking Trojan that initially emerged in 2014 and then tailed off has resurfaced with new features and possibly a new name, according to researchers with Proofpoint.

The first samples of the new version of Kronos -- which may have been rebranded as "Osiris" -- were detected in the wild in April and the first use of new variant seen in a campaign in Germany in June, the researchers wrote in a post on the cybersecurity vendor's blog.

Since then, other campaigns have been discovered in Japan and Poland, with a fourth campaign still coming together.

The return of Kronos is also part of a larger trend that is seeing a ramp of banking Trojans in general during the first half of the year, possibly in response to a slowdown in the number of ransomware attacks, according to Sherrod DeGrippo, director of emerging threats at ProofPoint. (See BackSwap Banking Trojan Shows How Malware Evolves.)

"Cybercriminals tend to follow the money and simply put, banking Trojans work," DeGrippo told Security News in an email. "A banking Trojan allows threat actors to literally remove funds from a target's bank account, so the financial gain is instant. We've observed that banking Trojans are again dominating the threat landscape as the mass ransomware campaigns have tailed off recently. This could potentially be attributed to ransomware demands being less likely to be paid given the complexity of obtaining cryptocurrency and the volatility of those values."

Screenshot of fraudulent music streaming website\r\n(Source: Proofpoint)\r\n
Screenshot of fraudulent music streaming website
\r\n(Source: Proofpoint)\r\n

Kronos uses man-in-the-browser techniques and webinject rules to steal user credentials, account and other information and money through fraudulent transactions, the researchers wrote. The Trojan accesses the information by changing the web pages of financial institutions.

The most significant difference between the old version of Kronos and the latest variant is a new command-and-control (C&C) feature that uses Tor in an attempt to anonymize communications, the researchers wrote.

The delivery method for the Trojan appears to vary from campaign to campaign.

In Germany, Proofpoint researchers saw an email phishing campaign that used malicious documents purportedly sent from German financial companies and targeting Word marcros. Earlier this month, a malvertising campaign in Japan sent victims to a site containing malicious JavaScript injections, with the JavaScript then sending victims to the RIG exploit kit. That in turn distributed the SmokeLoader downloader malware.

In the Japan campaign, the researchers initially expected to see the Zeus Panda banking Trojan being used, but instead found the new version of Kronos.

In Poland this month, the campaign was propagated through a phishing effort that used malicious Word documents, such as fake invoices that contained an attachment. In the last campaign found this month, it appears that to use the .onion C&C and may be downloaded by clicking on a button that reads "Get It Now" on a website that claims to be a streaming music player.

According to the researchers, at about the same time that the samples of the new Kronos iteration were being seen, an advertisement for Osiris, a new banking Trojan, began appearing on an underground hacking forum. There are a number of similarities between Osiris and the new Kronos variant -- both are banking Trojans written in C++, both use Tor and both use Zeus-formatted webinjects, for example -- and the size is essentially the same (350KB for Osiris and 351KB for an early sample of the Kronos variant).

In addition, some of the file names in the Japan campaign made reference to Osiris.

"While these connections are speculative, they are something to keep in mind as research into this threat continues," the researchers wrote.

It's not unusual for banking Trojan malware to re-emerge with updates and changes, though "generally, it is rare to see a malware fully reappear as Kronos has, especially when the source code of the malware isn't known to be public," Proofpoint’s DeGrippo said. "These kinds of improvements or changes [seen in Kronos] are typical for malware, but this is a long development cycle at 4 years. Threat actors have shown a lot of creativity and an ability to evolve their malware to meet their needs and accomplish their end goals. Often this means updates, new versions, new features, new targeting, and constant development of the malware."

Kronos got extra attention with its link to security researcher Marcus Hutchins, who rose to fame last year for discovering the simple method for shutting down the WannaCry ransomware. Later in the 2017, Hutchins was arrested, accused of writing the Kronos malware in 2014 and selling it on the AlphaBay dark site a year later. (See WannaCry Hero in FBI Custody.)

DeGrippo said banks are working to protect themselves and customers against Trojans like Kronos. Some use two-factor authentication, though many banking Trojans hijack existing authenticated connections.

"They wait for the user to authenticate successfully, then use that already-approved session to transfer money," he said. "Some banks have deployed out of band confirmation of money transfers as a helpful safeguard, where a secondary authentication session is required to add a new payee."

He said business users and consumers should use up-to-date antivirus software, updated operating systems and email gateways solutions that inspect attachments and links that are found in the body of emails. Emails are the most common method for transmitting malware, particularly banking Trojans, DeGrippo said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file