The evolution of Kronos malware
The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.
After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.
Kronos made yet another resurgence — this time combined with ransomware — and in late 2022 IBM Security Trusteer saw an increase in Kronos malware activity in Mexico. In these attacks, it was used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.
A brief review of the Kronos malware attack in Mexico
The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).
This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.
The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call to an external resource and inject a malicious JavaScript payload. Once the malicious chrome extension is installed, if the user attempts to access one of the targeted Mexican financial institutions, the extension will inject malicious JavaScript with the name: “8vZ9d1-ad.js” or “ok.js”:
This payload can then be used to steal sensitive information from the victim’s device.
Stealthy web injection capabilities
During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.
Example for Web-Inject:
Once a user is infected with the Kronos malware, the malware may wait for the user to enter their login credentials on a targeted website. At this point, the JavaScript component of the malware will begin to inject itself into the victim’s web browser, displaying a fake loading animation (commonly known as a “loader gif”) in order to obscure the fact that the user’s information is being stolen. This technique is commonly used by malware to avoid detection and increase the likelihood of successfully stealing sensitive information from the victim:
The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.
Main JavaScript function:
| Ask_user |
Send command forgot username |
| Ask_pass |
Enter password |
| Ask_mobile_access_token |
Ask user to enter access mobile token |
| Ask_mobile_confirmation |
Ask mobile token confirmation |
| Ask_otp_access_token |
Ask for OTP for physical token |
| Ask_calc_access_token |
Second confirmation for token |
| Ask_calc_confirmation_token |
Third confirmation for token |
| Ask_email |
Ask for email address |
| Ask_info |
Request for landline and cellphone |
Scroll to view full table
Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:
The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.
Example: hxxps://tomolina.top/uadmin/gate.php?pl=token&link=hsbc_mx1.1
C&C panel (uadmin)
The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.
Inside C&C (uadmin):
The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:
Main page:
Main Token Page:
This page contains logs of infected victims, including:
- The last time the victim connected to the targeted bank.
- The victim’s IP address.
- Device information (e.g., operating system and web browser type).
- The name of the targeted bank that the attacker has configured.
- Quick data showing the victim’s login credentials.
- The “redirect” feature, which redirects all existing and new bots to present links on each page.
- The “block” feature, which blocks access to the page after the user enters their credentials.
- Comments from the C&C owner.
The C&C admin page provides a robust view of victim activity and is an efficient way for attackers to collect victim data and user statistics that show the progress of their campaign. The C&C main features include:
- Statistics on the number of infected bots and other metrics.
- A list of infected bots, including their IP addresses and other details.
- The ability to remotely control infected bots.
- The ability to export logs of stolen information.
- Settings for the stealer component of the malware.
- A blacklist of web pages that the malware should not target.
Targeted financial institution: Mexico region
During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.
IOC:
In this instance, we were able to successfully retrieve Indicator of Compromise (IOC) from the JavaScript configuration file located at “8vZ9d1-ad.js”.
- hxxps://dlxfreight.bid/mx/
- hxxps://dlxfreight.bid/w1Q5DXr7te/gate.php
- hxxps://pnlbanorte.dlxfreight.bid
- hxxps://dlxfreight.bid/
- hxxp://tomolina[.]top/
- hxxps://facturacionmexico.net/choa.php
- hxxps://dlxfreightmore.com
How to stay safe from Kronos
To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.
If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.
It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.
To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.
Security Web Researcher in Security Intelligence