Kronos Banking Trojan Makes A Comeback

Arthur 11 Oct, 2022 730 Views
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.00 out of 5)

Kronos malware was initially discovered in 2014 and maintained a steady presence on the threat landscape for a few more years, before vanishing for a while. Recently, a variant of Kronos Banking Trojan targeted users in Germany, Japan, and Poland.

This infamous Kronos banking Trojan that has now returned all over again uses web injects and man-in-the-browser (MiTB) attacks to alter accessed web pages and steal users’ account information, credentials, and other such essential data. Besides having hidden VNC functionality, it can also log keystrokes.

Researchers identified three campaigns distributing a renewed version of this banking Trojan. These three campaigns have been targeting Germany, Japan, and Poland. A fourth campaign also seems to be in progress.

  • Campaign One: The first campaign to carry the latest Kronos samples took place on June 27. This campaign targeted German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware, and the SmokeLoader Trojan downloader was used in a few cases.
  • Campaign Two: The second campaign targeting Japan was observed on July 13 and involved a malvertising chain. Malicious ads directed users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. This was followed by the downloader dropping Kronos onto the compromised machines.
  • Campaign Three: The campaign targeting Poland started on July 15 and involved fake invoice emails carrying malicious documents that tried to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos. The Kronos samples observed in all three campaigns were designed to use .onion domains for C&C purposes. Additionally, the researchers observed that web injects were employed in the Japanese and German campaigns, but none were seen in the attacks on Poland.
  • Campaign Four: A fourth campaign that commenced on July 20 appeared to be a work in progress. The Kronos samples were configured all over again to use the Tor network and a test web inject was spotted.

What You’ll Find In The New Variant Of The Kronos Banking Trojan

Here are some details on the 2018 Kronos samples:

  • They’re available with an extensive code and string overlap with the older versions
  • They abuse the same Windows API hashing technique and hashes
  • They abuse the same string encryption technique
  • They feature the same C&C encryption mechanism and protocol
  • They leverage the same web inject format

The C&C panel file layout is very much like the older variants and a self-identifying string is also present in the malware. However, the major change is the use of .onion C&C URLs and the Tor network to anonymize communications.

There is some circumstantial evidence indicating that this latest variant of Kronos has been rebranded ‘Osiris’ (the Egyptian god of rebirth) and is being sold on underground markets.

This new malware variant is being advertised on underground forums as having capabilities that overlap with those observed in the new version of Kronos, and also having almost the same size (at 350 KB). The researchers further observed a file naming scheme in Kronos that appears to indicate a connection with Osiris.

Xcitium Advanced Endpoint Protection Will Protect Your Banking Information

Endpoint protection prevents targeted attacks and advanced persistent threats (APTs) which can’t be prevented by solely using antivirus solutions. Endpoint security solutions can provide enterprises with a complete spectrum of security solutions that can be centrally managed, and enables securing workstations, endpoints, servers, etc.

All the unknown files are quarantined by Xcitium Advanced Endpoint Protection (AEP) in auto-containment, which is a virtual container in which suspicious files can be examined and executed instantly and safely. Xcitium AEP operates from a Default Deny Platform in order to focus on complete enterprise visibility while the endpoints connected over the organization’s network are malware-free. Its console of IT and security management helps handle Linux, OSX, iOS, Windows, and Android devices linked to all the physical and virtual networks.

How Xcitium Advanced Endpoint Protection Works:

  • AEP employs the Default Deny PlatformTM to block bad files and automatically contain unknown files in a virtual container, with the help of Intelligent Automatic Containment technology.
  • The Xcitium VirusScope technology helps to examine unknown files at the endpoint, for malicious actions and behavior.
  • Valkyrie provides a cloud-based accelerated verdict within almost 45 seconds, based on dynamic, static, and human analyst interaction.
  • Malicious files are removed, good files are permitted to run on the endpoint CPU and unknown files are contained in the lightweight virtual container on the endpoint and examined in real-time.
  • Advanced Endpoint Protection can be provisioned within just a minute; it uses negligible CPU resources and needs an endpoint footprint of only about 10 MB. The program provides absolute security for both virtual and physical endpoints in both small and big enterprises.

See Also:

Best Endpoint Detection & Response

Endpoint Security
Trojan Virus