New banking Trojan 'Kronos' attacks French banks

News by Doug Drinkwater

The much-rumoured banking Trojan 'Kronos' has appeared in the wild and is stealing money unbeknown to the French bank account holders that it targets.

At the start of last month security vendor Trusteer detailed how Kronos (the name of the Greek god Zeus' father) was being advertised on underground forums for a price-tag of US$ 7,000, a fee which give would-be buyers a “lifetime product licence” which includes free updates and bug removals by the malware author

Etay Maor, fraud prevention solutions manager at Trusteer, an IBM company, wrote at the time how the malware was able to steal banking credentials over the Internet Explorer, Firefox and Chrome browsers – via HTML web injection – and fight off rival Trojans by using rootkits on 32-bit and 64-bit operating systems.

To make matters worse, the malware is hard to track as it typically evades anti-virus and sandbox detection and it uses encrypted command-and-control (C&C) communications, so that malicious traffic often cannot be seen.  

But Jozsef Gegeny, a security researcher at s21sec, now claims to have spotted Kronos when recently inspecting binary string in a ‘suspicious binary'.

Revealing his findings in a blog post published on Monday, Gegeny said that the firm was able to reverse-engineer the code to confirm that the features of the malware match those previously described, while he added that it uses “Zeus-style web-injects” in HTML and JavaScript to trick the user and carry out a fraudulent transactions without the user's knowledge. To date, only French banks are known to have been affected.

“This particular sample config file targeted only French financial institutions, but there may be other samples in the wild using different settings against different banking systems,” wrote the researcher.

Independent security consultant Adrian Culley told that this new malware is proof that advanced threats are targeting banks and other financial institutions, and that antivirus and sandboxing must improve if they're to be part of an effective incident response plan.

“This timely analysis of Kronos highlights that whilst anti-virus and sandboxing will continue to have their part to play in any incident response scenario, they are of themselves only security stepping stones, easily bypassed by the informed and skilled hacker, and any reliance placed upon them must be qualified and measured,” said Culley.

“Advanced threats targeting financial institutions, in this instance French ones, continue to demonstrate a range of anti-reverse engineering and anti-analysis techniques. Unfortunately we cannot put the genie back in the bottle, and it is likely going forward that we will not only continue to see increasingly sophisticated, blended malware appear in the wild, but also an increasing number of 'copycat' techniques.

Tim Holman, CEO at QSA 2-Sec and also president of not-for-profit organisation ISSA UK, added in an email to SC that the breed of malware like Kronos is ‘nothing new', saying that most target home users and send viruses as attachments in phishing emails, but did warn that banking Trojans are getting better.

“Banking Trojans are certainly evolving – Kronos in particular supports multiple browsers, multiple operating systems (Mac, Linux, Windows) and can be managed with a central command and control system.  The hit rate is certainly going to be big, and it seems pretty straightforward to configure and target multiple banks,” he told SC.

“So if Kronos is on your system, it will be listening for calls to “HSBC” or “Credit Agricole” for example, and automatically send back entered credentials to the command and control centre.  All the criminals have to do is sit and wait, whilst this data is silently harvested.”

Holman added that the C&C operators won't be using this data but rather selling it on, further proof that crime-as-a-service is a burgeoning market, but suggested that the recent take-downs of Gameover Zeus and Shylock indicate that law enforcement may already be on the case.

“With the likes of the FBI, Europol and the NCA actively targeting command and control systems, I doubt Kronos will be around for too long, but on the flip side it's pretty straightforward for a cyber-criminal to rename, recompile, repackage the malware and start selling it on in another guise instead.”

Over at Tenable Network Security meanwhile, the firm's EMEA technical director Gavin Millard said that while Kronos isn't doing anything fundamentally different from other malware families, it could still represent big problems for unprepared bank customers.

“Kronos, the new malware on the scene with its evasion techniques and encrypted communication, isn't doing anything fundamentally different from other existing malware families but will still be successful in evading detection and scraping the details of unsuspecting banking customers that only rely on anti-malware and anti-virus applications to protect them.”

Amar Singh, CISO and independent adviser, meanwhile, said that the Trojan is to be expected when the browser is ‘one of the weakest things after the human', especially with many reliant on vulnerable software like Java and Flash.

“The browser is almost our window into everything…we're living life on the browser - our whole banking experience, our social media experience," Singh told SC. "The browser has almost become our operating system.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews