Comeback: Kronos Banking trojan reappears in the cyberspace

The new version of Kronos Banking trojan has been discovered

The comeback of Kronos banking trojanResearchers detected a new Kronos 2018 edition which employs 3 distinct campaigns and targets people from Germany, Japan, and Poland.

Researchers have discovered a new variant of Kronos Banking trojan in April 2018. At first, the submitted samples were merely tests. Although, experts took a closer look once real-life campaigns have started spreading the Trojan horse across the world.

Kronos virus was first discovered in 2014 and hasn't been active in the recent years. However, the rebirth has resulted in more than three distinct campaigns which are targeting computer users in Germany, Japan, and Poland[1]. Likewise, there is a substantial risk that the attackers aim to make the infection spread worldwide.

According to the analysis, the most noticeable new feature of Kronos Banking trojan is an updated Command-and-Control (C&C) server which is designed to work together with the Tor browser[2]. This feature allows the criminals to remain anonymous during the attacks.

The peculiarities of Kronos distribution campaigns

Security researchers note that they have introspected four different campaigns since June 27 which have led to the installation of Kronos malware. The distribution of the banking Trojan had its own peculiarities differing in each of the targeted countries, including Germany, Japan, and Poland.

Campaign targeting German-speaking computer users

During the three-day period from June 27 to June 30 experts discovered a malspam campaign which was used to spread Kronos virus. Malicious emails contained the subject lines “Updating our terms and conditions.” or “Reminder: 9415166” and aimed to infect computers of 5 German financial institutions' users[3].

The following malicious attachments were appended in Kronos spam emails:

  • agb_9415166.doc
  • Mahnung_9415167.doc

Attackers used hxxp://jhrppbnh4d674kzh[.]onion/kpanel/connect.php URL as their C&C server. Spam emails contained Word documents which malicious macros which if enabled were programmed to drop Kronos banking Trojan. Also, there were smoke-loaders detected which are initially designed to infiltrate the system with additional malware.

Campaign targeting people from Japan

Attacks performed on 15-16 July were aiming to affect computer users in Japan. This time, the criminals targeted users of 13 different Japanese financial institutions with malvertising campaigns. Victims were sent to the suspicious site with malicious JavaScript codes which redirected users to Rig exploit kit[4].

Hackers employed hxxp://jmjp2l7yqgaj5xvv[.]onion/kpanel/connect.php as their C&C for Kronos distribution. Researchers describe the attack's peculiarities as follows:

This JavaScript redirected victims to the RIG exploit kit, which was distributing the SmokeLoader downloader malware.

Campaign targeting users located in Poland

On July 15, security experts analyzed the third Kronos campaign which employed malicious spam emails as well. People from Poland received emails with fake invoices named as “Faktura 2018.07.16.” The obfuscated document contained CVE-2017-11882 “Equation Editor” exploit to infiltrate the systems with Kronos virus.

Victims were redirected to hxxp://mysit[.]space/123//v/0jLHzUW which was designed to drop the payload of the malware. The final note by experts is that this campaign used hxxp://suzfjfguuis326qw[.]onion/kpanel/connect.php as its C&C.

Kronos might be rebranded as Osiris Trojan in 2018

While introspecting the underground markets, experts detected that at the time when Kronos 2018 edition was discovered, an anonymous hacker was promoting a new banking Trojan named Osiris on the hacking forums[5].

There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.

Even though researchers can't confirm this fact, there are multiple similarities between the viruses:

  • The size of Osiris Trojan is close to Kronos malware (350 and 351 KB);
  • Both use Tor browser;
  • The first sample of Kronos trojan was named as os.exe which might refer to Osiris.
About the author
Linas Kiguolis
Linas Kiguolis - IT professional

Linas Kiguolis is a qualified IT expert that loves sharing his excellent knowledge about problems in Windows and Mac operating systems. Linas’ insights often help other team members find quick solutions for visitors of UGetFix site.

Contact Linas Kiguolis
About the company Esolutions