The evolution of Kronos malware
The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.
After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.
A brief review of the Kronos malware attack in Mexico
The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).
This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.
This payload can then be used to steal sensitive information from the victim’s device.
Stealthy web injection capabilities
During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.
Example for Web-Inject:
The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.
||Send command forgot username
||Ask user to enter access mobile token
||Ask mobile token confirmation
||Ask for OTP for physical token
||Second confirmation for token
||Third confirmation for token
||Ask for email address
||Request for landline and cellphone
Scroll to view full table
Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:
The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.
C&C panel (uadmin)
The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.
Inside C&C (uadmin):
The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:
Main Token Page:
This page contains logs of infected victims, including:
- The last time the victim connected to the targeted bank.
- The victim’s IP address.
- Device information (e.g., operating system and web browser type).
- The name of the targeted bank that the attacker has configured.
- Quick data showing the victim’s login credentials.
- The “redirect” feature, which redirects all existing and new bots to present links on each page.
- The “block” feature, which blocks access to the page after the user enters their credentials.
- Comments from the C&C owner.
The C&C admin page provides a robust view of victim activity and is an efficient way for attackers to collect victim data and user statistics that show the progress of their campaign. The C&C main features include:
- Statistics on the number of infected bots and other metrics.
- A list of infected bots, including their IP addresses and other details.
- The ability to remotely control infected bots.
- The ability to export logs of stolen information.
- Settings for the stealer component of the malware.
- A blacklist of web pages that the malware should not target.
Targeted financial institution: Mexico region
During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.
How to stay safe from Kronos
To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.
If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.
It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.
To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.