Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

7/27/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kronos Returns as Banking Trojan Attacks Ramp Up

Proofpoint researchers have seen a new version of the four-year-old Kronos emerge in campaigns in Europe and Japan. The report also finds it may be rebranded as 'Osiris.'

The notorious Kronos banking Trojan that initially emerged in 2014 and then tailed off has resurfaced with new features and possibly a new name, according to researchers with Proofpoint.

The first samples of the new version of Kronos -- which may have been rebranded as "Osiris" -- were detected in the wild in April and the first use of new variant seen in a campaign in Germany in June, the researchers wrote in a post on the cybersecurity vendor's blog.

Since then, other campaigns have been discovered in Japan and Poland, with a fourth campaign still coming together.

The return of Kronos is also part of a larger trend that is seeing a ramp of banking Trojans in general during the first half of the year, possibly in response to a slowdown in the number of ransomware attacks, according to Sherrod DeGrippo, director of emerging threats at ProofPoint. (See BackSwap Banking Trojan Shows How Malware Evolves.)

"Cybercriminals tend to follow the money and simply put, banking Trojans work," DeGrippo told Security News in an email. "A banking Trojan allows threat actors to literally remove funds from a target's bank account, so the financial gain is instant. We've observed that banking Trojans are again dominating the threat landscape as the mass ransomware campaigns have tailed off recently. This could potentially be attributed to ransomware demands being less likely to be paid given the complexity of obtaining cryptocurrency and the volatility of those values."

Kronos uses man-in-the-browser techniques and webinject rules to steal user credentials, account and other information and money through fraudulent transactions, the researchers wrote. The Trojan accesses the information by changing the web pages of financial institutions.

The most significant difference between the old version of Kronos and the latest variant is a new command-and-control (C&C) feature that uses Tor in an attempt to anonymize communications, the researchers wrote.

The delivery method for the Trojan appears to vary from campaign to campaign.

In Germany, Proofpoint researchers saw an email phishing campaign that used malicious documents purportedly sent from German financial companies and targeting Word marcros. Earlier this month, a malvertising campaign in Japan sent victims to a site containing malicious JavaScript injections, with the JavaScript then sending victims to the RIG exploit kit. That in turn distributed the SmokeLoader downloader malware.

In the Japan campaign, the researchers initially expected to see the Zeus Panda banking Trojan being used, but instead found the new version of Kronos.

In Poland this month, the campaign was propagated through a phishing effort that used malicious Word documents, such as fake invoices that contained an attachment. In the last campaign found this month, it appears that to use the .onion C&C and may be downloaded by clicking on a button that reads "Get It Now" on a website that claims to be a streaming music player.

According to the researchers, at about the same time that the samples of the new Kronos iteration were being seen, an advertisement for Osiris, a new banking Trojan, began appearing on an underground hacking forum. There are a number of similarities between Osiris and the new Kronos variant -- both are banking Trojans written in C++, both use Tor and both use Zeus-formatted webinjects, for example -- and the size is essentially the same (350KB for Osiris and 351KB for an early sample of the Kronos variant).

In addition, some of the file names in the Japan campaign made reference to Osiris.

"While these connections are speculative, they are something to keep in mind as research into this threat continues," the researchers wrote.

It's not unusual for banking Trojan malware to re-emerge with updates and changes, though "generally, it is rare to see a malware fully reappear as Kronos has, especially when the source code of the malware isn't known to be public," Proofpoint’s DeGrippo said. "These kinds of improvements or changes [seen in Kronos] are typical for malware, but this is a long development cycle at 4 years. Threat actors have shown a lot of creativity and an ability to evolve their malware to meet their needs and accomplish their end goals. Often this means updates, new versions, new features, new targeting, and constant development of the malware."

Kronos got extra attention with its link to security researcher Marcus Hutchins, who rose to fame last year for discovering the simple method for shutting down the WannaCry ransomware. Later in the 2017, Hutchins was arrested, accused of writing the Kronos malware in 2014 and selling it on the AlphaBay dark site a year later. (See WannaCry Hero in FBI Custody.)

DeGrippo said banks are working to protect themselves and customers against Trojans like Kronos. Some use two-factor authentication, though many banking Trojans hijack existing authenticated connections.

"They wait for the user to authenticate successfully, then use that already-approved session to transfer money," he said. "Some banks have deployed out of band confirmation of money transfers as a helpful safeguard, where a secondary authentication session is required to add a new payee."

He said business users and consumers should use up-to-date antivirus software, updated operating systems and email gateways solutions that inspect attachments and links that are found in the body of emails. Emails are the most common method for transmitting malware, particularly banking Trojans, DeGrippo said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.