Security researchers have uncovered a new version of Kronos, a banking Trojan, that utilizes the TOR network. First uncovered back in 2014, the Kronos malware was very popular until its abrupt disappearance from the threat scene.
Proofpoint security researchers first found this Egyptian variant of the banking Trojan earlier this month. It has been rebranded as Osiris and cybercriminals have been using it in attacks in locations throughout Germany, Japan, and Poland. Osiris’ creators are currently selling the malware in the dark web.
In a blog, Proofpoint researchers stated,
“Kronos malware has been well-documented previously. It is a banking Trojan that uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions. It also has keylogging and hidden VNC functionality to help with its ‘banker’ activities.”
Additionally, the researchers discovered that cybercriminals using Osiris are also involving the malware in a 4th campaign that seems to still be in the developmental stage. June 27th marked the date of the 1st campaign, targeting German victims. Sometimes, SmokeLoader malware was used in the campaign as an intermediary. Another campaign was launched by the hackers that targeted Japanese victims and SmokeLoader was used to drop the newly reborn Kronos.
On July 15th, the hackers began their next campaign, this time targeting Poland victims using the EquationEditor exploit for the dropping of Kronos on the systems that were targeted. The latest campaign started on July 20th. It is believed to still be a “work in progress” at this time, yet it is not quite clear which nation or country this newest campaign will be targeting.
Osiris is similar to Kronos in many ways. They share the same extensive code and string overlap, and the same C2 encryption and protocol. They also have the same Windows API hashing techniques, as well.
Osiris is a banking malware, just like Kronos, and has the ability to steal credentials and perform keylogging. The only big difference between Osiris and Kronos is that Osiris’ C2 has been configured to utilize the TOR network.
An ad for the Osiris malware on a dark web hacking forum states that it is 350KB and written in C++.
Leave a comment below if you have any thoughts on this.