New variant is being advertised on underground hacking forums
The Kronos banking Trojan which was first discovered in 2014 is back – and cybersecurity analysts say an updated version is now targeting Europe and Japan.
The new variant of the Trojan was first detected when malicious documents were sent to German financial institutions, according to Cybersecurity analysts Proofpoint who released a report on the new Trojan yesterday.
Proofpoint commented in their report that “The Word documents contained macros that, if enabled, downloaded and executed a new variant of the Kronos banking Trojan. In some cases, the attack used an intermediate Smoke Loader.”
A Smokerloader is an application that can evade detection through changing the timestamp of its executable and hiding modified files.
With this new Kronos variant Proofpoint found that: “One of the major differences between the new and old versions is the use of .onion C&C URLs along with Tor to help anonymise communications.”
Kronos first surfaced in Russia on an underground site where it was selling for £5,000.
When the Trojan is installed on a computer it will log the key strokes of the user, who will potentially be giving away reams of sensitive information, like login credentials.
One of the features of Kronos was that it could change the format on the web pages of banking sites so that they included additional form pages where users could enter in account details and pin numbers.
Proofpoint believe that they have identified not just the new variant of Kronos, but a re-branded campaign to sell the Trojan under the name Osiris.
“Around the same time samples of the new version of Kronos were appearing in the wild, an ad for a new banking Trojan called “Osiris” (the Egyptian god of rebirth, among others) appeared on an underground hacking forum,” they noted.
The advertisement on the underground hacking forum says that the file size of Osiris is 350KB, which is similar in size to samples we have of Kronos.
This malware is been sold under a licencing agreement for £1,500 a month.
Proofpoint state that: “The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.”
“The first half of this year has been marked by substantial diversity among malicious email campaigns but banking Trojans in particular have predominated,” they note.