News 3 min read

Comeback: Kronos Banking trojan reappears in the cyberspace

5 minutes The new version of Kronos Banking trojan has been discovered Kronos banking trojan is back Researchers have discovered a new variant of Kronos Banking trojan in April 2018. At first, the submitted samples were merely tests. Although, experts took a closer look once real-life campaigns have started spreading the Trojan horse across the […]

Kronos banking trojan is back
0 Comments
5 minutes

The new version of Kronos Banking trojan has been discovered

Kronos banking trojan is back
Kronos banking trojan is back

Researchers have discovered a new variant of Kronos Banking trojan in April 2018. At first, the submitted samples were merely tests. Although, experts took a closer look once real-life campaigns have started spreading the Trojan horse across the world. 

Kronos virus was first discovered in 2014 and hasn't been active in the recent years. However, the rebirth has resulted in more than three distinct campaigns which are targeting computer users in Germany, Japan, and Poland. Likewise, there is a substantial risk that the attackers aim to make the infection spread worldwide. 

According to the analysis, the most noticeable new feature of Kronos Banking trojan is an updated Command-and-Control (C&C) server which is designed to work together with the Tor browser. This feature allows the criminals to remain anonymous during the attacks.

The peculiarities of Kronos distribution campaigns

Security researchers note that they have introspected four different campaigns since June 27 which have led to the installation of Kronos malware. The distribution of the banking Trojan had its own peculiarities differing in each of the targeted countries, including Germany, Japan, and Poland.

Campaign targeting German-speaking computer users

During the three-day period from June 27 to June 30 experts discovered a malspam campaign which was used to spread Kronos virus. Malicious emails contained the subject lines “Updating our terms and conditions.” or “Reminder: 9415166” and aimed to infect computers of 5 German financial institutions' users. 

The following malicious attachments were appended in Kronos spam emails:

  • agb_9415166.doc
  • Mahnung_9415167.doc

Attackers used hxxp://jhrppbnh4d674kzh[.]onion/kpanel/connect.php URL as their C&C server. Spam emails contained Word documents which malicious macros which if enabled were programmed to drop Kronos banking Trojan. Also, there were smoke-loaders detected which are initially designed to infiltrate the system with additional malware.

Campaign targeting people from Japan

Attacks performed on 15-16 July were aiming to affect computer users in Japan. This time, the criminals targeted users of 13 different Japanese financial institutions with malvertising campaigns. Victims were sent to the suspicious site with malicious JavaScript codes which redirected users to Rig exploit kit. 

Hackers employed hxxp://jmjp2l7yqgaj5xvv[.]onion/kpanel/connect.php as their C&C for Kronos distribution. Researchers describe the attack's peculiarities as follows:

This JavaScript redirected victims to the RIG exploit kit, which was distributing the SmokeLoader downloader malware.

Campaign targeting users located in Poland

On July 15, security experts analyzed the third Kronos campaign which employed malicious spam emails as well. People from Poland received emails with fake invoices named as “Faktura 2018.07.16.” The obfuscated document contained CVE-2017-11882 “Equation Editor” exploit to infiltrate the systems with Kronos virus.

Victims were redirected to hxxp://mysit[.]space/123//v/0jLHzUW which was designed to drop the payload of the malware. The final note by experts is that this campaign used hxxp://suzfjfguuis326qw[.]onion/kpanel/connect.php as its C&C. 

Kronos might be rebranded as Osiris Trojan in 2018

While introspecting the underground markets, experts detected that at the time when Kronos 2018 edition was discovered, an anonymous hacker was promoting a new banking Trojan named Osiris on the hacking forums.

There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.

Even though researchers can't confirm this fact, there are multiple similarities between the viruses:

  • The size of Osiris Trojan is close to Kronos malware (350 and 351 KB);
  • Both use Tor browser;
  • The first sample of Kronos trojan was named as os.exe which might refer to Osiris.
Did this fix work for you?
Linas Kiguolis

Written by

Co-founder & Tech Lead
System architecture Performance optimization Browser troubleshooting Network issues Software conflicts

Linas Kiguolis is co-founder of uGetFix and the platform's technical lead. With over a decade of experience in Windows systems, web infrastructure, and browser performance, he shapes the technical direction of the site and personally validates complex multi-step fixes. Linas has a background in software engineering and applies that rigour to troubleshooting guides — ensuring every recommended step is tested, reproducible, and safe. His areas of focus include system performance degradation, browser-level failures, software conflicts, and network connectivity issues affecting Windows users.

0 Comments

Be the first to comment

Still worried? Run a free check.

Paste any URL or domain — we'll scan it against 4.2M known threats in 10 seconds.

View full scanner → Add to your website →