View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 25, 2018updated 06 Jul 2022 8:57am

New Version of Banking Trojan Kronos is Here and it’s Cheaper than Ever

New variant is being advertised on underground hacking forums

By CBR Staff Writer

The Kronos banking Trojan which was first discovered in 2014 is back – and cybersecurity analysts say an updated version is now targeting Europe and Japan.

The new variant of the Trojan was first detected when malicious documents were sent to German financial institutions, according to Cybersecurity analysts Proofpoint who released a report on the new Trojan yesterday.

Proofpoint commented in their report that “The Word documents contained macros that, if enabled, downloaded and executed a new variant of the Kronos banking Trojan. In some cases, the attack used an intermediate Smoke Loader.”

A Smokerloader is an application that can evade detection through changing the timestamp of its executable and hiding modified files.

With this new Kronos variant Proofpoint found that: “One of the major differences between the new and old versions is the use of .onion C&C URLs along with Tor to help anonymise communications.”

On Sale

Kronos first surfaced in Russia on an underground site where it was selling for £5,000.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

When the Trojan is installed on a computer it will log the key strokes of the user, who will potentially be giving away reams of sensitive information, like login credentials.

One of the features of Kronos was that it could change the format on the web pages of banking sites so that they included additional form pages where users could enter in account details and pin numbers.

Proofpoint believe that they have identified not just the new variant of Kronos, but a re-branded campaign to sell the Trojan under the name Osiris.

“Around the same time samples of the new version of Kronos were appearing in the wild, an ad for a new banking Trojan called “Osiris” (the Egyptian god of rebirth, among others) appeared on an underground hacking forum,” they noted.

The advertisement on the underground hacking forum says that the file size of Osiris is 350KB, which is similar in size to samples we have of Kronos.

This malware is been sold under a licencing agreement for £1,500 a month.

Proofpoint state that: “The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.”

“The first half of this year has been marked by substantial diversity among malicious email campaigns but banking Trojans in particular have predominated,” they note.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.