Kronos, the new banking trojan from Russian underground

Experts at Trusteer have recently discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.

Russian underground is probably the most prolific market for sale of banking malware, malicious code like Citadel, Zeus, Gozi have infected millions computers worldwide dominating the malware threat landscape. The huge demand for banking trojan  is creating the conditions for newcomers to try to get a share of the cybercrime market.

Recently security experts have discovered different banking trojan like Geodo and Dyreza available on the black market, but today we will discuss about the last malicious code made available for purchase in a Russian underground forum dubbed Kronos malware. Kronos malware, like many other banking trojans, is a modular application which implements the principal features of such family of malware.

Experts at Trusteer have recently discovered an advertisement for Kronos malware, a new financial Trojan, on a forum in the Russian Underground. Despite the experts haven’t yet analyzed the malware, they described in a blog post the features listed in the adv. Principal characteristics described are:

• Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome);+
• 32- and 64-bit ring3 (user-mode) rootkit capable of also “defending from other Trojans”;+
• Antivirus bypassing;+
• Malware-to-C&C communication encryption;+
• Sandbox bypassing.+

Kronos malware is available for $7,000 and it includes numerous modules for evading detection and analysis, the seller also offers a “try and buy” server for $1,000, giving the possibility to test it for a week prior to buying it.  Clients have various payment options, including e-currencies Bitcoin and Perfect Money.

Below the announcement published on the Russian forum.

“”I present you a new banking Trojan. Compatible with 64 and 32bit rootkit Trojan is equipped with the tools to give you successful banking actions.Formgrabber: Works on Chrome, IE, FF in latest versions. Works on the majority of older versions as well. Steals logs from each website Webinjects: Works on latest Chrome, IE, FF, latest and majority of older versions. Injections are in Zeus config format, so it’s easy to transfer the config from one another.32 and 64bit Ring3 rootkit: The Trojan also has a ring 3 rootkit that defends it from other Trojans.

Proactive Bypass: The Trojan uses an undetected injection method to work in a secure process and bypass proactive anti-virus protections. Encrypted Communication: Connection between bot and panel is encrypted to protect against sniffers. Usermode Sandbox and rootkit bypass: The Trojan is able to bypass any hook in usermode functions which bypasses rootkits or sandboxes which use these hooks.+

1000$ a week of testing. The server will be hosted only for you. You need just a domain or a payment including the domain fee. You’ll have full access to the C&C, without any limits or restrictions during test mode.7000$ Lifetime product license, free updates and bug removals. New modules will not be free , and you will need to pay additionally. We accept Perfect Money, Bitcoin, WMZ, BTC-E.comCurrently the Trojan is written in its fullest. Next week we will have tests and bug fixing, then release. Pre-ordering the Trojan will give you a discount.”

The malware authors announced the development of new modules that will be offered for sale separately, meanwhile, updates and bug fixes will be free of charge.

Kronos, which took its name after the father of Zeus in Greek mythology, was designed with a great care in the implementation of evading techniques.

“Consistent with other financial malware developments, it seems that significant time and effort were given to evading security tools used both by end users and security white hats. In addition, the HTML injection mechanism is compatible with Zeus. Because Zeus is the most widely deployed malware, and it is likely that potential clients have used or still use Zeus variants, the authors of Kronos made sure that the HTML injection files used by Zeus operators can be easily implemented with Kronos. Coincidence or not, it is also worth noting that in Greek mythology, Kronos is Zeus’ father” wrote Etay Maor in the post.

Stay tuned for more information from monitoring of underground ecosystem.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (Kronos, banking)

[adrotate banner=”5″]

[adrotate banner=”13″]