Kronos Trojan hits the Banking Sector back with a new version

Kronos banking Trojan was first discovered in 2014. The malware capable of stealing banking credentials had its heydays back then. However, in 2016, suddenly the once daunting banking Trojan laid dormant and dropped off researchers’ hit list.
Recent research reveals that the malware is back again with its revamped version. The Trojan did made to the headlines in 2017 but the attack samples appeared to be mild with limited activity.
On 27th June 2018, the new variant got off the ground and is known to have launched four distinct campaigns since then targeting Germany, Japan and Poland and also one test campaign.
The new Version of the Kronos Banking Trojan has been retooled with a few new incorporated features like a new command-and-control feature that is designed to work with an anonymizing network – Tor. Tor is free software that enables anonymous communication. The software is intended to conceal Internet activity of the user to protect their privacy, giving them space to conduct confidential communication without letting their activities being monitored.
Many features of this new Kronos banking Trojan however remain the same. For instance,
  • There is extensive overlap in the code of 2014 and 2018 variants.
  • Windows API hashing technique and hashes of the new and the old version remain the same
  • Extensive string overlap
  • String encryption technique is again same
  • Same C&C (Command and Control) protocol and encryption
  • Same C&C encryption mechanism
  • Same Webinject format (Zeus format)
  • Similar C&C panel file layout
Also, it is believed that the new variant of the banking Trojan besides being retooled, has been rebranded as Osiris. This new Osiris malware used by some criminals has similar characteristics as that of Kronos banking Trojan. For instance, this Osiris Trojan is claimed to be 350 KB in size which is the alm

Kronos-Banking-Trojan.jpg

ost the same as Kronos’s size which is 351 KB.  Also the name is apt as Orisis is the Egyptian God of rebirth.

Campaign Analysis

  • Campaign against Germany: June 27-30 2018
A spam email campaign was discovered on June 27 2018 that targeted German users. The victims were customers of financial institutions and were purportedly send a spam mail with malicious attachments. The subject of the email when translated in English read as:
  1. Updating our terms and conditions
  2. Reminder: 94151……
The attached word documents contained macros that prompted users to enable it. Macros by default are disabled by Microsoft. Once it was enabled, the malicious script contained in the doc executed a new variant of Kronos Trojan. In these infringements, the Trojan used the URL http://jhrppbnh4d674kzh[.]onion/kpanel as its C&C. It downloaded web injects to steal credentials and other personal institutions through a web browser targeting five German financial institutions. The new variant is also known to have used an intermediate smoke-loader – a small application used to download other malware in the victimized system.
Read Full News

Comments

Post a Comment

Popular posts from this blog

How to remove ZUpdater.exe Trojan from your system?

Image
Guide to Remove ZUpdater.exe Trojan - ZUpdater.exe Trojan is a nasty threat to the Windows OS based devices. It uses the infected system’s resources to generate illicit crypto currency without the user’s permission or knowledge. Software Bundling & Free Programs are the prime methods used by ZUpdater.exe Trojan to proliferate its infection. Some of the free downloads offered on the internet do not reveal if other software is being installed in the background. Thus, they easily make their way into the system without user’s consent. Once ZUpdater.exe virus is installed, it consumes over 90% of the CPU’s power & graphics card power of the targeted system. This way, it makes the system extremely sluggish & deteriorates the performance of the PC. According to cyber-security analysts, while the system is running slow, hackers use computer’s resources to generate illicit revenue for themselves. Victims from around the world are looking for ways to remove...
Read more

How to Remove Search.newtabtvsearch.com or NewTabTV Redirect?

Image
Search.newtabtvsearch.com is a nasty browser hijacker that hijacks your browser to alter its homepage and new tab functionality. Besides that, it displays constant banners, pop-ups and annoying ads to diminish your overall browsing experience. What is Search.newtabtvsearch.com Redirect? Search.newtabtvsearch.com or Newtab-TV Redirect is a browser hijacker presented in the form of suspicious search engine. This search engine has been developed by Imali Media Ltd. and the company claims that the application let the users watch television, news and their favorite shows on their PC. It will replace the page you see when opening a new tab as given in the image below: Upon installation, Search.newtabtvsearch.com will present its search results to the user through http://search.yahoo.com. Browser extensions like Newtab-TV get installed as a result of software bundling along with free software or applications which the user download off the internet. Threat Summary   ...
Read more

Myquickconverter Browser Redirect Removal Instructions

Image
Guide To Remove Myquickconverter Browser Redirect  While the computer users are combating with devious search engines that are rendering infuriating browser modifications, another menacing  browser hijacker  seems to be spreading its wings. This treacherous search engine invades the system stealthily by marching in with other free software that users download from the internet. The irony is that the users are totally unaware of its installation until it replaces the default homepage & search engine for their browser to  https://search.myquickconverter.com . Impacted users are looking for ways to uninstall search.myquickconverter.com from their system. In case your default home-page has been replaced by search.myquickconverter, refer our  My quick converter redirect virus removal guide given below. What is search.myquickconverter? Search.myquickconverter  is a  misleading search engine  that sneaks in bundled with other free appl...
Read more