Kronos Banking Trojan Has Returned
26.7.18 securityweek

The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn.

Kronos malware was first discovered in 2014 and maintained a steady presence on the threat landscape for a few years, before largely disappearing for a while. It uses man-in-the-browser (MiTB) attacks and webinjects to modify accessed web pages and steal user credentials, account information, and other data. It can also log keystrokes and has hidden VNC functionality.

Last year, the United States Federal Bureau of Investigation said that Kronos was built and distributed by British researcher Marcus Hutchins, who goes by the online handle of MalwareTech and who is known for stopping the WannaCry ransomware attack.

The new Kronos samples, which were observed in campaigns targeting users in Germany, Japan, and Poland, are connecting to a command and control (C&C) domain on the Tor network. There’s also speculation that the malware might have been rebranded to Osiris, but no hard evidence on this has emerged so far.

The first campaign carrying the new Kronos samples was observed on June 27, targeting German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware and the SmokeLoader Trojan downloader was used in some cases.

Targeting Japan, the second campaign was observed on July 13 and involved a malvertising chain. Malicious ads took users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. The downloader would then drop Kronos onto the compromised machines.

The Poland campaign started on July 15 and involved fake invoice emails carrying malicious documents that attempted to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos.

The Kronos samples observed in all three campaigns were configured to use .onion domains for C&C purposes. The researchers also observed that webinjects were used in the German and Japanese campaigns, but none was seen in the attacks on Poland.

A fourth campaign observed on July 20 appeared to be work in progress. The Kronos samples were once again configured to use the Tor network and a test webinject was spotted.

The 18 Kronos samples feature extensive code and string overlap with the older versions, abuse the same Windows API hashing technique and hashes and the same string encryption technique, leverage the same webinject format, and feature the same C&C encryption mechanism and C&C protocol and encryption.

The C&C panel file layout is also similar to the older variants and a self-identifying string is also present in the malware. The major change, however, is the use of .onion C&C URLs and the Tor network to anonymize communications.

There is also some evidence to suggest that the malware might have been rebranded to Osiris (the Egyptian god of rebirth).

The new malware is being advertised on underground forums as packing capabilities that overlap with those observed in the new version of Kronos and as having about the same size (at 350 KB), and the researchers also observed a filenaming scheme in Kronos that appears to suggest a connection with Osiris.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. […] While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,” Proofpoint concludes.