Menu
New banking malware 'Kronos' advertised on underground forums

New banking malware 'Kronos' advertised on underground forums

Its creators seek to establish the new threat as a premium commercial alternative to older Trojans like Zeus

A new Trojan program designed to steal log-in credentials and other financial information from online banking websites is being advertised to cybercriminal groups on the underground market.

The new malware is called Kronos, and based on a recent ad seen in a Russian cybercriminal forum it can steal credentials from browsing sessions in Internet Explorer, Mozilla Firefox and Google Chrome by using form-grabbing and HTML content injection techniques, said Etay Maor, a senior fraud prevention strategist at IBM subsidiary Trusteer, Friday in a blog post.

According to the ad, the new threat is compatible with content-injection scripts -- also known as Web injects -- developed for Zeus, a popular online banking Trojan that's no longer in development. This design decision is intended to allow cybercriminals who still use Zeus variants in their operations to easily switch to Kronos.

In addition to the information-theft capabilities, the new Trojan has a user-mode rootkit component for 32-bit and 64-bit Windows systems that can protect its processes from competing malware. Its creator also claims that Kronos can evade antivirus detection and sandbox environments typically used for malware analysis.

The new cybercriminal tool is being advertised for $7,000, a price that includes the promise of continued development, free upgrades and bug fixes.

"Most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks," Maor said. "It remains to be seen how popular Kronos will be within the cyber crime community," he said.

The premium price suggests that Kronos is aimed to be a replacement for former commercial crimeware toolkits like Zeus, Carberp and SpyEye, whose development has been discontinued or whose source code has been leaked in recent years.

According to researchers from Kaspersky Lab, who have also seen the Kronos advertisements on several underground forums last week, the new online banking threat appears to be based on the source code of Carberp.

The screen shots posted by Kronos' author demonstrate fragments of code injected into other processes and the code looks pretty similar to Carberp's, said Dmitry Tarakanov, senior security researcher at Kaspersky Lab, Monday via email.

Carberp has also been sold to cybercriminals in the past at a premium price, but the malware's source code was leaked online last year, possibly after internal disputes between its creators.

Trusteer and Kaspersky Lab have yet to obtain a sample of Kronos for analysis.

The $7,000 price is not a sum that would scare off serious cybercriminals if the offer is solid, Tarakanov said. "Professional groups can make hundreds of thousands [of dollars], so $7,000 is more than acceptable for them."

Without third-party analysis the claims made by Kronos' creator should be viewed with skepticism, said Chris Boyd, malware intelligence analyst at Malwarebytes, via email. "In particular, sandbox bypassing is a very broad claim -- there are multiple sandboxes and they all have many ways to defeat evasive malware. Getting around one could well be doable, but all of them? It's probably unlikely, and if it could do that one suspects it would fetch a much higher asking price."

The promise of continued support and bug fixes might be one of the most attractive features of Kronos, according to Tim Erlin, director of security and risk at Tripwire.

"Anyone running a business requires stable and secure software to do so, and that includes cybercriminals," Erlin said. "Being new, and therefore harder to detect, is [also] a feature in and of itself."

News of this new online banking malware threat comes after law enforcement agencies from several countries at the beginning of June worked with security vendors to shut down a financial fraud botnet based on a Zeus spin-off called Gameover. The FBI estimates that the botnet led to losses of over US$100 million globally.

On Friday, security researchers from CSIS Security Group in Denmark reported that the source code of yet another online banking Trojan called Tinba was leaked on underground forums.

"The cybercriminal underground is a market," Tarakanov said. "Source code leakages and botnet shutdowns have been happening constantly but we see virus writers from time to time come up with new (or based on old but modified) banking malware. It proves that the market wants such tools."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyIBMsecurityTripwireMalwarebytesspywaremalwarekaspersky labfraudTrusteer

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments