Proofpoint researchers have discovered a new version of the Kronos Trojan is out in the wild, with exploit campaigns already active in Germany, Japan and Poland.
Kronos gained more than a little infamy when British security researcher Marcus Hutchins, who found the kill switch that stopped the WannaCry ransomware attack in its tracks last year, was arrested in the United States on suspicion of being the author of the banking Trojan.
This new variant, which is being sold through cyber-crime channels under the name of Osiris, adds Tor network support in order to anonymise the C&CC mechanisms employed during exploits.
Kronos itself was first uncovered back in 2014, when it was being sold for as much as US$ 7,000 (£5,318) and dominated the banking malware vector for a while. Not least as it was able to pretty much bypass most anti-virus software using a custom, and at the time untraceable, injection methodology.
In their analysis of the exploit campaigns seen in the wild, the Proofpoint researchers reveal a number of similarities between 'Osiris' and the original Kronos Trojan. These include sharing much of the same codebase, the same Windows API hashing technique and hashes, the same 'Zeus' webinject format and the same string encryption technique.
Kronos 'Osiris' still uses a man-in-the-browser approach, and webinject rules to enable the modification of banking web pages. The original keylogging capabilities are also to be found here, plus hidden VNC functionality.
But why are Trojans such as Kronos so successful? Why are banking Trojans still even a thing in 2018? "Cyber-criminals tend to follow the money and simply put, banking trojans work" Sherrod DeGrippo, Director of Emerging Threats at Proofpoint, told SC Media UK, adding "banking Trojans allow threat actors to literally remove funds from a target bank account, the financial gain is instant."
Although Paul Ducklin, Senior Technologist at Sophos, points out you might be forgiven for "thinking that the malware scene was all about cryptojacking and ransomware these days, but that's because those threats are more exciting to write about and are currently hogging the media spotlight." While banking malware makes money, there's no incentive to abandon such a lucrative venture.
Then there's the fact that cyber-criminals love a soft target, like the man or woman in the street who most likely runs unpatched software with elevated privileges. "They know that if they send out enough phishing emails, at some point someone will fall for their social engineering plot, click the link or open the attached document" Wicus Ross, Security Researcher at SecureData, told SC Media who is not at all surprised to hear about the reemergence of Kronos. "The number of active information stealing malware is a clear indication that their tactics and techniques are effective" he says "even granddaddy Zeus or ZBot is still actively being tracked after 11+ years."
But is there anything that the banking sector itself should be doing to be better protected against such malware exploits? Zeki Turedi, Technology Strategist at CrowdStrike, thinks that because the customer is targeted directly and these Trojans can be easily modified to focus on new targets by updating config files, it's hard for the banking sector to react. "The challenge will not stop any time soon" Seki said in conversation with SC Media UK "threat intelligence on criminal actors, campaigns, and ecosystems is required to defend against the tactics, techniques, and procedures employed by these specific groups."
Oliver Fay, Senior Threat Intelligence Consultant at Context Information Security agrees that because the exploit techniques happen on the infected client computer "there's very little that banks can do to defeat them as an attack vector." Which doesn't mean they are doing nothing to help mitigate the risk of course, but they could be doing more according to Danny O’Neill, Head of Managed Security (EMEA) at Rackspace. "The financial sector needs to drop its legacy set and forget mentality and adapt to the modern threat landscape" he said talking with SC Media, continuing "whilst there were known similarities from previous variants of Kronos, this version changed its Command & Control methodology to anonymise communications. A static device would likely miss this, highlighting the need for proactive analysis of command line activity and data flows to detect suspicious activity..."