The new version of Kronos Banking trojan has been discovered
Researchers have discovered a new variant of Kronos Banking trojan in April 2018. At first, the submitted samples were merely tests. Although, experts took a closer look once real-life campaigns have started spreading the Trojan horse across the world.
Kronos virus was first discovered in 2014 and hasn't been active in the recent years. However, the rebirth has resulted in more than three distinct campaigns which are targeting computer users in Germany, Japan, and Poland. Likewise, there is a substantial risk that the attackers aim to make the infection spread worldwide.
According to the analysis, the most noticeable new feature of Kronos Banking trojan is an updated Command-and-Control (C&C) server which is designed to work together with the Tor browser. This feature allows the criminals to remain anonymous during the attacks.
The peculiarities of Kronos distribution campaigns
Security researchers note that they have introspected four different campaigns since June 27 which have led to the installation of Kronos malware. The distribution of the banking Trojan had its own peculiarities differing in each of the targeted countries, including Germany, Japan, and Poland.
Campaign targeting German-speaking computer users
During the three-day period from June 27 to June 30 experts discovered a malspam campaign which was used to spread Kronos virus. Malicious emails contained the subject lines “Updating our terms and conditions.” or “Reminder: 9415166” and aimed to infect computers of 5 German financial institutions' users.
The following malicious attachments were appended in Kronos spam emails:
Attackers used hxxp://jhrppbnh4d674kzh[.]onion/kpanel/connect.php URL as their C&C server. Spam emails contained Word documents which malicious macros which if enabled were programmed to drop Kronos banking Trojan. Also, there were smoke-loaders detected which are initially designed to infiltrate the system with additional malware.
Campaign targeting people from Japan
Hackers employed hxxp://jmjp2l7yqgaj5xvv[.]onion/kpanel/connect.php as their C&C for Kronos distribution. Researchers describe the attack's peculiarities as follows:
Campaign targeting users located in Poland
On July 15, security experts analyzed the third Kronos campaign which employed malicious spam emails as well. People from Poland received emails with fake invoices named as “Faktura 2018.07.16.” The obfuscated document contained CVE-2017-11882 “Equation Editor” exploit to infiltrate the systems with Kronos virus.
Victims were redirected to hxxp://mysit[.]space/123//v/0jLHzUW which was designed to drop the payload of the malware. The final note by experts is that this campaign used hxxp://suzfjfguuis326qw[.]onion/kpanel/connect.php as its C&C.
Kronos might be rebranded as Osiris Trojan in 2018
While introspecting the underground markets, experts detected that at the time when Kronos 2018 edition was discovered, an anonymous hacker was promoting a new banking Trojan named Osiris on the hacking forums.
There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.
Even though researchers can't confirm this fact, there are multiple similarities between the viruses:
- The size of Osiris Trojan is close to Kronos malware (350 and 351 KB);
- Both use Tor browser;
- The first sample of Kronos trojan was named as os.exe which might refer to Osiris.