1. To visit protected / private sections of the forum you must be connected with your user account. If you are not yet a member of our forum, you can create it now for free!.

User Tag List

Thread: Kronos Banking Trojan resurrection, new campaigns spotted in the wild

Results 1 to 1 of 1

  1. #1
    VOLKOV's Avatar
    Moderator
    Join Date Jun 2014
    Location Kanchatka
    Posts 609
    Like (Stats)
    Mentioned
    17 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    46 Post(s)

    Post Kronos Banking Trojan resurrection, new campaigns spotted in the wild

    Researchers from Proofpoint have discovered a new variant of the infamous Kronos banking Trojan that was involved in several attacks in the recent months.
    The infamous Kronos banking Trojan is back, and according to the experts from Proofpoint it was involved in several attacks in the last months.

    The malware was first spotted in 2014 by researchers at security firm Trusteer that discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.



    The new variant was discovered in at least three distinct campaigns targeting Germany, Japan, and Poland respectively.

    The new variants share many similarities with older versions:

    Extensive code overlap
    Same Windows API hashing technique and hashes
    Same string encryption technique
    Extensive string overlap
    Same C&C encryption mechanism
    Same C&C protocol and encryption
    Same webinject format (Zeus format)
    Similar C&C panel file layout
    “Some of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and keylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version of Kronos.” continues the analysis.

    “The ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked sample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be short for “Osiris”.”

    Since April 2018, experts discovered new samples of a new variant of the Kronos banking Trojan in the wild. The most important improvement is represented by the command and control (C&C) mechanism that leverages the Tor anonymizing network.

    “There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.” states the analysis published by Proofpoint.

    A first campaign was observed on June 27, the malware was targeting German users with weaponized documents attached to spam emails. The macros included in the document was used as downloader for the payload, in some cases, the SmokeLoader downloader.

    A second campaign was uncovered on July 13, the victims were infected through a malvertising campaign. The malicious ads pointed out to a website that thanks to JavaScript injections redirected visitors to the RIG exploit kit, that delivered SmokeLoader. The downloader would deliver the Kronos onto the compromised machines.

    A third campaign was observed since July 15 and sees victims receiving fake invoice emails carrying weaponized documents that attempted to exploit the CVE-2017-11882 vulnerability to deliver and execute the Kronos Trojan.

    The experts highlighted that the malware leveraged webinjects in the German and Japanese campaigns, but they weren’t involved in the attacks on Poland.

    The fourth campaign started on July 20 and according to the experts it is still ongoing.

    “The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.” Proofpoint concludes.

    “While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,”
    Last edited by VOLKOV; 3 Weeks Ago at 02:33.
    Sell private loader emotet bot
    Jabber: volk0v@exploit.im (otr)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 25-10-2017, 17:08
  2. Replies: 0
    Last Post: 30-07-2017, 20:34
  3. Replies: 2
    Last Post: 23-07-2017, 00:23
  4. Replies: 0
    Last Post: 16-07-2017, 17:47
  5. Kronos, the new banking trojan from Russian underground
    By VOLKOV in forum Tutorials and Articles
    Replies: 11
    Last Post: 18-07-2014, 23:00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts