KINS trojan is threatening banking sector

KINS trojan is the name of the new banking malware that RSA researchers discovered thanks to an announcement on the Russian black market.

Early 2013 RSA discovered traces of a news banking trojan named KINS, security experts have followed the evolution of the malware in the underground community. RSA researchers discovered an announcement on the Russian black market for the new Trojan toolkit.

The advertisement for the sale of KINS has been published on a closed Russian-speaking underground forum.

According RSA experts the KINS trojan could have an impact on banking ecosystem superior to the predecessors Spyeye and Zeus, it is the first public offers of similar malware since the Citadel malicious code was retired from cyber criminal commerce at the end of 2012.

“This is the first actual commercial Trojan we’ve seen in a while, since Citadel was taken off the market. We haven’t seen anything serious enough on the part of malware developers,” “This is the first time something might materialize into a real, commercial banking Trojan” declared Limor Kessem, cybercrime specialist at RSA.

Is KINS trojan linked to other malware such as Zeus or SpyEye?

The advertisement for KINS found by RSA experts claims that the malicious code is totally new project that is not derived from re-engineering of other malware source code.

RSA researchers are investigating on it to prove the truth of the assertion, but despite authors of KINS sustain that the trojan is not based on previous malware, RSA says the it has many similarities with predecessors, including a main file plus DLL plug-ins, the compatibility with Zeus Web injections and the Anti-Rapport plug-in that came with SpyEye.

Another interesting feature is that seems that Russian users cannot get infected by KINS exactly like happened to the Citadel.

KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible Web injects. The authors sells the KINS trojan for $5,000 in basic configuration and propose every additional modules and plug-ins for $2,000 a piece.

The Bootkit component is considered of most interesting features, none of KINS predecessors was equipped with a  Bootkit. It is a Volume Boot Record (VBR), designed to cover presence of the Trojan  that will take hold of the infected computer from a much deeper level.

Following key features highlighted by RSA:

• KINS trojan architecture is built like Zeus/SpyEye, with a main file and DLL-based plugins
• KINS is compatible with Zeus web injections, the same as SpyEye
• KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye
• KINS will work with RDP (like SpyEye)
• KINS trojan does not require technical savvy – much as Zeus doesn’t
• Users in USSR countries will not be infected by KINS– a feature that was first introduced by Citadel in January 2012.
• Keeping KINS away from Trojan trackers – a problem that plagued SpyEye
• Spread via popular exploit packs such as Neutrino – using one of the most sophisticated packs out there
• A Bootkit in store – the Trojan will take hold of the infected computer from a much deeper level, it’s Volume Boot Record (VBR)
• KINS will easily infect machines running Win8 and x64 operating systems

To have an idea of the cost of a bootkit consider that the authors of Carberp Trojan proposed it on the black market for $40,000, but KINS is the first commercial Trojan that comes with a built in bootkit mode.

“This guy is planning to bring in a bootkit. That’s interesting. It’s going to be an interesting way to have the Trojan infect a computer: it’s more stealthy when it’s a bootkit,” Kessem said.

RSA revealed that the commercial Trojan market is in full riot:

“The ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, and it seems that professional cybercrime malware developers are just not what they used to be,”

KINS  is going to be very successful considering that law enforcement have arrested principal actors of black markets, we are in a condition where banking malware demand is high and the cybercrime underground is missing its principal players.

Pierluigi Paganini

(Security Affairs – malware, KINS trojan)