Kronos is Back from the Dead in Resurgence of Banking Trojan Threat


Trevor Reschke Head of Threat Intelligence

The re-emergence of the Kronos malware illustrates a shift in criminal tactics, a resurgence in banking Trojans, and could call into question who *really* is behind the code.


Let me begin with the acknowledgement that, according to the 2018 Verizon Data Breach Investigations Report, attacks on web application authentication mechanisms driven by banking Trojan botnets happen – a lot. That report comments “had we included the almost 40,000 of them as part of the analysis, nothing else would come to light.”


So unsurprisingly, after more than a year in the wilderness, the Kronos banking Trojan appears to have returned, according to security researchers at Proofpoint.


The researchers have observed a new variant of the malware being used in recent campaigns in Germany, Japan and Poland. A fourth campaign involving the malware appears to be in the works and is currently being tested.


The original Kronos malware first appeared in 2014 and went on to target UK and Japanese businesses, before hitting French and Canadian banks among others. Similar to the widely-spread Zeus Trojan, it was focused on stealing banking login credentials from browser sessions.


The Proofpoint researchers note that the new variant is markedly similar to the older version, except this time it uses Tor to hide the communication of its command and control (C&C) servers. The new version uses the same Windows API hashing techniques and hashes, encryption technique, C&C encryption mechanism, Zeus webinject format and C&C panel layout. It even includes a self-identifying string sequence labeling it as Kronos, though Proofpoint says that the criminals have rebranded it as ‘Osiris’ in a bid to sell it on underground markets. In terms of distribution, the Trojan has been propagated via a variety of different methods, including social engineering and malvertising.


Though the tactics remain largely consistent with the methods of the original Kronos Trojan, the falling price of the malware on the dark web would seem to indicate a more competitive criminal landscape. The malware could be licensed for $7,000 per month back in 2014, but an ad on an underground web forum suggests that Osiris – at 350 kb, a very similar sample size to that of Kronos according to Proofpoint experts — fetches around $2,000 for a monthly licensing agreement.


Why are Banking Trojans Still a Threat? 

Sherrod DeGrippo, director of emerging threats at Proofpoint, said that the re-emergence of Kronos highlighted that banking Trojans ‘have come to dominate the threat landscape over the first half of 2018’, and it was notable too that Proofpoint’s report suggested Kronos itself would “continue as a fixture in the threat landscape for now.”


At Trusted Knight, we believe that banking Trojans are still omnipresent because they exploit built-in security flaws in the Windows operating system – the OS contains features that are fundamentally incompatible with security.


For instance, process injection (e.g., CreateRemoteThread) — where third-party code can be inserted into a running process to modify its functionality — remains possible on the most recent releases of Windows. Likewise, API hooking (e.g., SetWindowsHookEx) is still permitted. Both features exist to enable programs that customize user experience, but in practice are often used by malicious code.


Fortunately, in recent years, Microsoft has taken some steps to tighten their security measures. For example, process injection into system code is generally forbidden to an unprivileged program under Windows 10.


However, it is here where user error represents a real challenge. Gullible users will still happily override protection mechanisms to open that important attachment, or perhaps succumb to whichever ruse of the day the phisher happens to use. In short, banking trojans remain an attractive method of attack because they rely on the weak point that financial institutions are protecting no better today than they did in 2014 – their customers.


Endpoint protection has fallen flat due to lack of uptake from users. It’s notoriously hard to get people to download software, and the best Trojans will be able to bypass this protection anyway. Even when it first appeared in forums in 2014, Kronos was already billed as bypassing antivirus and sandbox protections.


Sadly, most financial institutions seem to have just accepted this kind of attack as a fraud loss – “the cost of doing business”. Where the criminals are continually innovating their methods, banks have done little.


The most logical solution is to take the fight away from the user device and onto a battleground where banks have the advantage. It is not possible to stop all users from being infected with malware, but if they can protect the transaction session, they can stop credentials from being taken in any useful form. Stop what the malware is trying to do, rather than the malware itself.


Trusted Knight’s Protector Air does precisely that – as a cloud-based solution that defeats customer-side malware, prevents web application exploitation, and stops transactional fraud. Click the links below to find how we can help you eradicate banking trojans as an issue once and for all.


Request a Free Trial Download Whitepaper Now