Khronos yesterday, Osiris today – the evolution of a Bank Trojan
Proofpoint, a cybersecurity firm has announced in their study that Japan, Poland, and Germany banks are in the crosshairs of a new variant of the Kronos bank trojan. Kronos was first detected four years ago has recently seen in the wild spreading through infected spam messages and exploit kits for sale on the Dark Web. The new version of Kronos appears to be publicly remarketed as Osiris (named after the Ancient Egyptian god of rebirth), with its command and control algorithm communicates with the infected machine using the Tor anonymizing network.
In analyzing its behavior and structure, Proofpoint stressed that the Osiris variant resembles its predecessor as they both share a similar code-base. Khronos made calls to standard Windows API hashing function to perform an evasive injection type of infection, in an effort to bypass signature virus scans of antimalware software.
The Osiris variant hijacks the browsers installed in Windows, installs itself to the browser as a sort of invisible plugin which watches over the activities of the user. The virus will then spring into action once the user attempts to visit a bank website, keylogging the user login credentials of the unsuspecting user and send it to the virus authors.
Sherrod DeGrippo, Proofpoint’s Director of Emerging Threats explained on why banking trojans are still relevant in today’s security: “Cyber-criminals tend to follow the money and simply put, banking trojans work. Banking Trojans allow threat actors to literally remove funds from a target bank account, the financial gain is instant.” Her comment was opposed by Paul Ducklin, Sophos Sr. Technologist: “Thinking that the malware scene was all about crypto jacking and ransomware these days, but that’s because those threats are more exciting to write about and are currently hogging the media spotlight.”
A call has been communicated to the banking sector to take responsibility against banking exploits. Many banks have now implemented two-factor authentication using a separate device, SMS message or a mobile app. This prevents the stolen usernames and passwords from actually working since the bank login screen will demand a secondary authentication, which the virus authors will never have access to.
Banking trojans while profitable are being over superseded by cryptocurrency mining malware, which provides bigger returns with less chance of getting discovered. Proofpoint report further emphasized: “The first half of this year has been marked by substantial diversity among malicious e-mail campaigns but banking Trojans, in particular, have predominated. The Kronos banking Trojan has a relatively long and interesting history and it looks like it will continue as a fixture in the threat landscape for now.”
The 2014 Kronos malware was created by a security researcher named Marcus Hutchins, using the handle “MalwareTech.” He was later arrested and currently facing a case in connection with the spread of Kronos bank trojan. As a precautionary measure, banks are advised to decommission the use of legacy systems, as it has a wider attack surface. Adaptation of flexible systems that are easily patched is better and more resistant to cyber attacks.
Related Resources: