Security experts Proofpoint has identified a new variant of the highly successful Kronos banking Trojan. It has seen three separate campaigns in Germany, Japan and Poland. All are using a new command and control (C&C) mechanism. It is also being sold on underground networks which is likely to lead to increased attacks.
The details of the new Kronos campaigns were released in a blog on the Proofpoint website. Researchers spotted the first samples of this new Kronos variant in April. They noticed that the: “command and control (C&C) mechanism has been refactored to use the Tor anonymizing network.” They also report that it has been rebranded as the Osiris banking Trojan.
Kronos first appeared in 2014. It is reported that it was developed by Marcus Hutchins, the British hacker arrested by the FBI last year. After several successful campaigns the malware seemed to disappear. Hutchins is still in the USA awaiting trial for creating Kronos after being charged by the FBI. This raises a question that Proofpoint doesn’t address: “who wrote this new version?”
Three new campaigns
While first samples were seen in April, it took until June before campaigns using this new version of Kronos were spotted. The campaigns are:
Germany 27-30 June: This was an email campaign using a malicious document. Emails appear to come from German financial companies. Attackers used subject lines such as “Updating our terms and conditions”. Months of GDPR emails saying the same thing meant that users were likely to open the malicious document. Once opened, it used Word macros to download Kronos. It was targeting five German financial institutions.
Japan 13 July: A malvertising attack using Smoke Loader downloaded the Kronos Trojan. Previous campaigns by this threat actor had used the Zeus Panda Trojan. It targeted 13 Japanese financial institutions.
Poland 15-16 July: This is another email campaign with fake invoice attachments. It is using the Equation Editor exploit to download and install Kronos. Microsoft first issued a patch for this exploit in November 2017 and again in January 2018. Those who have not applied Microsoft patches are most at risk from this attack.
Unknown attack 20 July: Five days ago, Proofpoint identified another attack which is believes is still being developed. The attack is targeted at users of Stream EYE, a streaming music player. It is hidden behind a GET IT NOW button on the website.
What does this mean
Effective malware doesn’t just go away. Before Kronos disappeared for a while it was credited with a number of successful campaigns. This new version is likely to be just as effective as the previous version. Four campaigns have already been identified by Proofpoint in the last 25 days. They will not be the last.
For months now, cryptojacking malware has ruled the roost when it comes to malware infections. The resurgence of banking Trojans could be related to the drop in the value of cryptocurrencies. Alternatively, it could just be the season for banking Trojans as users pay less attention to their personal security while travelling on holiday. The latter is something that Check Point Software recently warned about.
Whatever the reason, users need to:
- Tighten up their device security by using security software
- Ensure all applications are patched and up to date
- Not open unexpected email from financial institutions or random invoices
- Disable macros in Word to prevent attacks
- Use a VPN to reduce the risk of drive by attacks when using free WiFi when travelling
