Kronos Banking Trojan Makes a Comeback


It appears the infamous Kronos banking trojan is back as researchers have identified three campaigns distributing a revamped version of this banking trojan. First discovered in 2014 it was believed that trojan had disappeared. Proofpoint security researchers now report that new samples of Kronos have been spotted in April, this year.

The three campaigns have been seen targeting Germany, Japan, and Poland. There's also a fourth campaign that appears to be a work in progress. "The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymizing network," researchers wrote. "There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded 'Osiris' and is being sold on underground markets."

Remember Marcus Hutchins? Prosecutors Now Claim WannaCry Hero Admitted to Writing Kronos Banking Malware

While April samples appeared to be tests, real-life campaigns were spotted in June when the exploit kits started to get deliver to new users. The malware is dropped through the tried and tested method of sending messages and files that appear to be coming from financial institutes.

The Word documents contained macros that, if enabled, downloaded and executed a new variant of the Kronos banking Trojan. In some cases, the attack used an intermediate Smoke Loader. Kronos was configured to use http://jhrppbnh4d674kzh[.]onion/kpanel/connect.php as its C&C URL and downloaded webinjects targeting five German financial institutions.

The campaign that was spotted targeting Japan involved a malvertising campaign, where malicious ads led users to a site where JavaScript injections redirected to the exploit kit. The downloader would ultimately drop Kronos on to the victim machines.

Kronos banking trojan gets a rebirth

Kronos banking Trojan uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, ultimately enabling attackers to steal user credentials that lead to fraudulent transactions.

Researchers wrote that around the same time that new samples of Kronos were spotted, they also saw an ad for a new banking Trojan called “Osiris” (the Egyptian god of rebirth) on an underground hacking forum. Osiris could actually be the rebirth of Kronos.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape," researchers wrote. "While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan."

Technical details available here.