At the start of last month security vendor Trusteer detailed how Kronos (the name of the Greek god Zeus' father) was being advertised on underground forums for a price-tag of US$ 7,000, a fee which give would-be buyers a “lifetime product licence” which includes free updates and bug removals by the malware author

Etay Maor, fraud prevention solutions manager at Trusteer, an IBM company, wrote at the time how the malware was able to steal banking credentials over the Internet Explorer, Firefox and Chrome browsers – via HTML web injection – and fight off rival Trojans by using rootkits on 32-bit and 64-bit operating systems.

To make matters worse, the malware is hard to track as it typically evades anti-virus and sandbox detection and it uses encrypted command-and-control (C&C) communications, so that malicious traffic often cannot be seen.  

But Jozsef Gegeny, a security researcher at s21sec, now claims to have spotted Kronos when recently inspecting binary string in a ‘suspicious binary'.

Revealing his findings in a blog post published on Monday, Gegeny said that the firm was able to reverse-engineer the code to confirm that the features of the malware match those previously described, while he added that it uses “Zeus-style web-injects” in HTML and JavaScript to trick the user and carry out a fraudulent transactions without the user's knowledge. To date, only French banks are known to have been affected.

“This particular sample config file targeted only French financial institutions, but there may be other samples in the wild using different settings against different banking systems,” wrote the researcher.