This article is about the newest iteration of the Kronos Banking Trojan and what new features it brings to the cybersecurity landscape. Malware researchers ponder whether the malware has developed into the new Osiris Trojan horse.
Kronos Banking Trojan 2018 – New Campaigns
Malware researchers from Proofpoint Security have been keeping a close track of the activity revolving around the Kronos Banking Trojan. In the past few months, these security researchers have deduced that multiple campaigns for this specific malware have been targeting particular parts of the World as a sort of a test. April is the month that marks the first appearance of the new campaigns.
Proofpoint state that the major change in the code of Kronos is that the old C&C (Command and Control) servers are no longer used. Instead, the TOR network has been implemented to host the new C&C control panels. The first sighting of this new feature has occurred earlier in 2018 and more specifically – in April.
Since then, three major campaigns have been divided, according to the country that they have impacted, respectively Germany, Japan, and Poland. German users have been targeted between June 27th and June 30th. This email campaign featured malicious documents containing macro-scripts downloading Kronos that were targeting a few different financial institutions.
The second campaign involved a malvertising chain that utilized the payload of the ZeuS Trojan Virus https://sensorstechforum.com/remove-zeus-trojan-virus/ but ultimately loaded the new version of Kronos. Japanese users have reported the attack on the 13th of July.
Third and latest, distinct email campaign was observed two days after the Japanese reports, while this time the country of Poland served as the primary target. Emails contained fake invoices, such as “Faktura 2018.07.16” and malicious .doc files. From July 20th, there seems to be a newer campaign, which is still ongoing and currently regarded to be in its testing period.
Osiris Banking Trojan – the New Face of Kronos?
Nearly at the same time of the new Kronos versions appearing in the wild, an advertisement for a new banking Trojan dubbed “Osiris” had popped up on an underground hacking forum. As both Kronos and Osiris are names of famous mythical deities, and the timing of the advertising of the latter is very close to the active campaigns of Kronos, Proofpoint security officers are pondering if it is the same banking Trojan:
There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.
The advertisement is the following:
The text for the advertisement is presented below:
What is Osiris?
It is a C++ Banking Trojan over Tor.Why should i get Osiris?
Osiris cannot be tracked or shutdown because uses Tor connections and fully supports win Vista/7/8/8.1/10 Natively.What are the Features?
-Tor Connection
-Ring 3 Rootkit 32 and 64bit
-Forwgrabber POST and GET requests (it will grab everything) fully supported on Chrome 65 and FireFox 59 latest versions and below.
-Weblnjections Zeus style webinjects with automatic Update of injections,supported on Internet Explorer,FireFox 59 and below.
//Please Read coment for Chrome:
(Chrome will be updated works only on old version for now ,due to Chrome change comletely its structure since version 64 be it only
works the Formgrabber atm)
-Keylogger
-Download & Execute
-Bot Update
-Broswer Password Recovery works on Firefox and Chrome
-Proactive Bypass
-AntVMware,AntiSandbox,AntiDebug SupportWhat is the Size of the bot?
The size its 350kb we will work on improve the size to make it smaller.How much does all this cost?
The Price is $2,000 per monthWhat you will have?
Full support and webinjections documentationNote:
Extra features will be added soon.
The price of the Osiris will increase and will not affect old costmers.
You can also buy full lifetime license if really need it.Rules:
1. Refunds cannot be applied because the botnet cannot be shutdown.
2. No sharing or giving out panel or the bot to unauthorized parties.
3. Any issues please contact me directly first do not post on the Thread.
4. You can sell the license with my approval and will cost you a fee of 1000$.
5. If you dont follow the rules it will result the termination of license without refunds.
From the above text, it becomes clear that Osiris:
- is written in the C++ programming language
- is a banking Trojan horse
- uses the TOR anonymizing network
- has keylogger functionality
- has form grabbing functionality
- uses Zeus-formatted webinjects
Osiris has all those features, among other ones, which are also present in Kronos. Proofpoint security also points out that the 350 KB size of the Osiris’ bot is almost the same as the 351 KB size of an earlier, unpacked version of Kronos. These are speculations, but certainly not wild ones and could very well end up being the first evidence of the evolution of the Kronos Banking Trojan.
The threat landscape is in a weird spot at the moment as new malware comes out less often than its current demand on the Dark Web. We see more new iterations of old malware with small tweaks, rather than a completely new structure in a malware’s code. Either way, Trojan horses are still effective as is and can cause serious issues for bankers as well as collateral damage to other computer systems in all affected networks.