A NEW VERSION OF BANKING TROJAN ‘KRONOS’

‘Kronos” has a new variant in circulation, openly advertised on a low profile in various hack forums. The new version of the banking Trojan had security analysts on alert as expectations and damage capabilities are expected to be of higher economic value and also more resilient than its predecessor.

The Kronos Trojan itself was first distinguished in 2014 and has proved to be a formidable threat to organizational data as well as open market structures. The dark side of technological advancement is always a creation with the ability to forcefully disintegrate or destabilize a functional system; however, Kronos was created for a more economical purpose that simple destruction- so to say.

Suspiciously, the new variant is targeting specific regions for its activities; these regions are majorly Europe and Japan- obviously regions with highly organized financial market structure.

The new banking Trojan came into discovery when a malicious document was received by German financial institutions. Proofpoint, a renowned cybersecurity analyst organization released a report on confirmation of this malware and its possible capabilities if it finds its way into the banking system.

Proofpoint further explained that the virus better functions when downloaded. If a word document was containing this Trojan, it would feature Macros that had to be enabled, downloaded or perhaps allowed. This would enable the variant to latch on. In some cases, intermediate smoke loaders are used. Smoke loaders are applications that work in synergy with the virus to mask its activities and evade detection. This is done through the elimination of timestamps and casting a shadow on modifies files.

Proofpoint also reported that the profound disparity between the old Trojan and the new one was the use of .onion C&C URLs with Tor to create completely anonymous profiles

Kronos has already gained major popularity in the underground market and has a price tag for interested buyers. It was introduced into the Russian market on a shady site, selling at the price of £5,000. This is an initial price of course and may drop below the price when market demand grows.

On installation, the Trojan catalogs keystrokes of the user, along with other information such as login details. A provisional feature which is peculiar to the new Trojan is that it alters the web page formats of banking website. It intelligently included additional forms to be filled by users and account holders. This backup form would include personal details like pin numbers.

According to Proofpoint the new variant would be rebranded and distributed with the code name “Osiris.” Samples of the variant tagged with the nomenclature of the Egyptian god of rebirth raised flags, which was picked up by security analysts as they were gaining popularity on underground forums. The file size for the Trojan is reported to be 350kb.

Sales of the Kronos stand at a fixed £1,500 a month under licensing agreement. Threats of various banking malware have been in existence till date but none as particular as the Trojan. Malicious emails evidently tagged as carriers have taken priority for the starting half of this year.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.