At the start of last month security vendor Trusteer detailed how Kronos (the name of the Greek god Zeus' father) was being advertised on underground forums for a price-tag of US$ 7,000, a fee which give would-be buyers a “lifetime product licence” which includes free updates and bug removals by the malware author
Etay Maor, fraud prevention solutions manager at Trusteer, an IBM company, wrote at the time how the malware was able to steal banking credentials over the Internet Explorer, Firefox and Chrome browsers – via HTML web injection – and fight off rival Trojans by using rootkits on 32-bit and 64-bit operating systems.
To make matters worse, the malware is hard to track as it typically evades anti-virus and sandbox detection and it uses encrypted command-and-control (C&C) communications, so that malicious traffic often cannot be seen.
But Jozsef Gegeny, a security researcher at s21sec, now claims to have spotted Kronos when recently inspecting binary string in a ‘suspicious binary'.
“This particular sample config file targeted only French financial institutions, but there may be other samples in the wild using different settings against different banking systems,” wrote the researcher.