Banking Trojan Kronos reborn
Alas, danger has returned with the dark revelation that the Kronos banking Trojan has been reborn with the new name Osiris.
According to cybersecurity firm Proofpoint, Kronos was first discovered in 2014 and was a steady fixture in the threat landscape for a few years before largely disappearing. Now a new variant has appeared, with at least three distinct campaigns targeting Germany, Japan, and Poland respectively, to date.
In April 2018, the first samples of a new variant of the banking Trojan appeared in the wild. The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymising network.
Proofpoint explains (on 24 July) that there is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” (e.g. the Egyptian god of rebirth) and is being sold on underground markets.
On its site, the firm goes into some deep analysis and presents information on the German, Japanese, and Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested.
There is no time or space to relate every aspect of that impressive research, however, it is worth noting one example.
Proofpoint says based on a tweet from a security researcher, it investigated a malvertising chain sending victims to a site containing malicious JavaScript injections. This JavaScript redirected victims to the RIG exploit kit, which was distributing the SmokeLoader downloader malware. In this case, the final payload was the new version of Kronos.
And in the Japan campaign, for example, Kronos’ webinjects were targeting thirteen Japanese financial institutions.
Kronos malware has been well-documented previously. It uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions.
The new 2018 version shares many similarities with older versions.