The All New Kronos Banking Trojan Discovered
After lying low for a couple of years, the Kronos trojan reemerged in July with a new name Osiris. A more extensive investigation of how the banking trojan has evolved, taking into account the broader malware trends.
Osiris initially showed up in July, and it was targeting Germany, Japan, and Poland. Plainly it depends on the Kronos malware which drove the financial cybercrime for some time and after that, it surfaced in 2014.
As per Securonix specialist Oleg Kolesnikov, the current version of the Trojan is quite similar to the existing other banking malware. It uses Zeus-style G/P/L web-injects, a keylogger, and a VNC server,
For one, it uses encrypted Tor traffic for command-and-control (C2). “The malicious payload spawns multiple processes named ‘tor.exe’ and connects to multiple distinct hosts (Tor nodes) located in different countries,” Kolesnikov said in a post-Tuesday on Osiris.
Kolesnikov explained how Osiris has upped the game on evasion effort, and they have this one particular and fairly innovative impersonation technique. This technique is all about a combination of mastering the doppelganging approach, combined with more traditional hollowing technique.
“The technique can literally make detection of the banking trojans activity using purely endpoint tools more challenging compared to tools that are capable of looking at the behaviors of other entities besides endpoints”.
The Attack Pattern
The pattern was just how most hackers do. A dedicatedly crafted Microsoft Word document/RTF attachment with macro/OLE that obfuscated VB stages to be dropped and executed. Otherwise, the malware is distributed using kits like RIG EK.
The buffer overflow vulnerability in Microsoft Office Equation Component comes is exploited by the malicious document, and that allows the attacker to perform arbitrary code execution.
Kolesnikov talking to Threatpost explained “The vulnerability resides in the Equation Editor Component which, when used, runs as its own process (eqnedt32.exe). Because of the way it was implemented, it doesn’t support Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). A malicious document exploits the vulnerability to execute a command to download the latest version of [Osiris].”
Osiris steals credentials and other sensitive data from online banking accounts and so on, that was what it mainly does. The best way to steal this information was through a man-in-browser attack on the web-inject malicious script into banking websites and grabbing form values.
The Modern Malware
Despite based on old source code that’s been knocking around for years, Osiris’ fundamental makeup positions it in the form of malware trends. Looking at the banking attacks, it looks like a convergence of malicious features offered by many Trojans. Kolesnikov told Threatpost. “For instance, it is quite common to see the same baseline set of features offered in many prevalent bank trojans, such as form-grabbing, sandbox and AV bypass, web injections, password recovery, keylogging, and remote access.”
He added that the latest version of Osiris also fits into a trend of malware adopting a more modular architecture in general; this enables malicious actors to provide updates and plugins to implement various malicious behaviors after an initial infection.
This dovetails with “a growing trend for more rapid malware prototyping and a decrease in the ‘research-to-malware’ time it for malicious threat actors to implement the latest attack and evasion techniques reported in the security community,” he added.
Another notable thing about Osiris is that it has become cheaper compared to Kronos, which was sold for $3,000 in 2014, and Osiris sold for $2,000 in 2018. This makes it much easier for the cybercriminals to lay their hands on. You have the choice to resell the license for $1,000, something which the Kronos doesn’t offer. So this difference is what makes it potentially dangerous with the capacity to increase the scale and impact of the malicious threat.