Kronos malware was initially discovered in 2014 and maintained a steady presence on the threat landscape for a few more years, before vanishing for a while. Recently, a variant of the Kronos Banking Trojan targeted users in Germany, Japan, and Poland.
This infamous Kronos banking Trojan that has now returned all over again uses web injects and man-in-the-browser (MiTB) attacks to alter accessed web pages and steal users’ account information, credentials, and other such essential data. Besides having hidden VNC functionality, it can also log keystrokes of kronos.
Researchers identified three campaigns distributing a renewed version of this Kronos banking Trojan. These three campaigns have been targeting Germany, Japan, and Poland. A fourth campaign also seems to be in progress Kronos.
- Campaign One: The first campaign to carry the latest Kronos samples took place on June 27. This campaign targeted German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware, and the SmokeLoader Kronos banking Trojan downloader was used in a few cases of Kronos.
- Campaign Three: The campaign targeting Poland started on July 15 and involved fake invoice emails carrying malicious documents that tried to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos. The Kronos samples observed in all three campaigns were designed to use .onion domains for C&C purposes. Additionally, the researchers observed that web injects were employed in the Japanese and German campaigns, but none were seen in the attacks on Poland.
- Campaign Four: A fourth campaign that commenced on July 20 appeared to be a work in progress. The Kronos samples were configured all over again to use the Tor network and a test web inject was spotted Kronos.
What You’ll Find In The New Variant Of The Kronos Banking Trojan
Here are some details on the 2018 Kronos banking samples:
- They’re available with an extensive code and string overlap with the older versions
- They abuse the same Windows API hashing technique and hashes
- They abuse the same string encryption technique
- They feature the same C&C encryption mechanism and protocol
- They leverage the same web inject format
The C&C panel file layout is very much like the older variants and a self-identifying string is also present in the malware and Kronos. However, the major change is the use of .onion C&C URLs and the Tor network to anonymize communications of Kronos banking.
There is some circumstantial evidence indicating that this latest variant of Kronos has been rebranded ‘Osiris’ (the Egyptian god of rebirth) and is being sold on underground markets.
This new malware variant is being advertised on underground forums as having capabilities that overlap with those observed in the new version of Kronos, and also having almost the same size (at 350 KB). The researchers further observed a file naming scheme in Kronos that appears to indicate a connection with Osiris.
Xcitium Advanced Endpoint Protection Will Protect Your Kronos Banking Trojan Information
Endpoint protection and kronos prevents targeted attacks and advanced persistent threats (APTs) which can’t be prevented by solely using antivirus solutions. Endpoint security solutions can provide enterprises with a complete spectrum of security solutions that can be centrally managed, and enables securing workstations, endpoints, servers, etc.
All the unknown files are quarantined by Xcitium Advanced Endpoint Protection (AEP) in auto-containment, which is a virtual container of Kronos in which suspicious files can be examined and executed instantly and safely. kronos Xcitium AEP operates from a Default Deny Platform in order to focus on complete enterprise visibility while the endpoints connected over the organization’s network are malware-free Kronos. Its console of IT and security management helps handle Linux, OSX, iOS, Windows, and Android devices linked to all the physical and virtual networks of Kronos banking trojan.
How Xcitium Advanced Endpoint Protection block Kronos Banking Trojan:
- AEP employs the Default Deny PlatformTM to block bad files and automatically contain unknown files in a virtual container, with the help of Intelligent Automatic Containment technology Kronos.
- The Xcitium VirusScope technology helps to examine unknown files at the endpoint, for malicious actions and behavior of kronos.
- Valkyrie provides a cloud-based accelerated verdict within almost 45 seconds, based on dynamic, static, and human analyst interaction Kronos.
- Malicious files are removed, good files are permitted to run on the endpoint CPU and unknown files are contained in the lightweight virtual container on the endpoint and examined in real-time kronos.
AEP and Kronos Banking Trojan
Advanced Endpoint Protection and Kronos banking can be provisioned within just a minute; it uses negligible CPU resources and needs an endpoint footprint of only about 10 MB. The program provides absolute security for both virtual and physical endpoints in both small and big enterprises in kronos.