New trojans appear targeting UK banks

News by Max Metzger

Named after mythological figures, these two trojans are set to target some major financial institutions in the UK

The UK is seeing new waves of the infamous Zeus trojan family attacking it's financial institutions.

IBM's dangerous-sounding Security X force have found two types of the trojan make their way onto the UK's shores - Kronos and Sphinx, relatives of Zeus. X-Force's team of analysts and researchers produces threat intelligence for companies and found these two trojans after monitoring forums that are popular with hackers. It was only later, however, that they confirmed that Kronos and Sphinx had made their way to the UK and are actively attacking banking institutions here.

Kronos, taking its name from the father of Zeus in Greek mythology, comes with several sneaky features including anti-virus bypassing, sandbox bypassing and common credential stealing techniques. 

It was first spotted in mid-2014 but has been curiously elusive in the last few months. The reemergence of this trojan has not produced any updates or improvements of the malware itself, but it has been reconfigured to target several banks in the UK.

When Kronos first emerged, fraud specialist Etay Maor  wrote in a blog post that Kronos is easily usable with Zeus: "Because Zeus is the most widely deployed malware, and it is likely that potential clients have used or still use Zeus variants, the authors of Kronos made sure that the HTML injection files used by Zeus operators can be easily implemented with Kronos."

Mike Loginov, CEO and founder of Ascot Barclay, a cyber-security company, offered some insight to explaining that Kronos aims to harvest a victim's online banking credentials, telephone banking passwords and credit card information while Sphinx is used for the theft of online banking authentication including capturing user credentials, cookies and certificates. 

Sphinx's targets can wildly differ, considering that it's sold to the highest bidders. This particular malware, like Kronos, has been configured to target several major UK banks.

Loginov added that the emergence of these two trojans in the UK is: "...a significant indicator that cyber-criminals are again targeting and harvesting the credentials of UK citizens which should be a concern for all."

The UK has emerged as a top target for global cyber-criminals, according to recent reports,because of its strong financial industry. Security Intelligence magazine, reports that: “While the UK is already the most targeted area for banking trojan malware configurations (per IBM Trusteer data), the past few months have shown more activity than usual.”

Last month, another banking trojan, called Shifu, or thief in Japanese, migrated from its home country of Japan to attack UK financial institutions. The trojan, thought to created by Russian-speaking authors, only targeted 14 Japanese banks but has now trained its sights on 18 new targets within the UK.

Drew Perry, chief cyber analyst at Ascot Barclay offered a technical perspective to SC on the new trojans, Sphinx and Kronos

"While some of their features are unique," says Perry, "the delivery methods still stay the same, which is via exploit kits." These kits leverage the vulnerabilities found in Browsers, Flash and Java among others.

Perry reminded SC: "The most critical thing is keeping these applications up to date, and when a zero day vulnerability is uncovered, that these applications and plug-ins are disabled until patched." He added, "If using centralised logging and security monitoring, look for increases in application log errors for Chrome. The author may have engineered Kronos to crash Chrome forcing users to a more vulnerable browser such as IE or Firefox to increase infection rates."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews