The evolution of Kronos malware

The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.

After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.

Kronos made yet another resurgence — this time combined with ransomware — and in late 2022 IBM Security Trusteer saw an increase in Kronos malware activity in Mexico. In these attacks, it was used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.

A brief review of the Kronos malware attack in Mexico

The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).

This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.

The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call to an external resource and inject a malicious JavaScript payload. Once the malicious chrome extension is installed, if the user attempts to access one of the targeted Mexican financial institutions, the extension will inject malicious JavaScript with the name: “8vZ9d1-ad.js” or “ok.js”:

This payload can then be used to steal sensitive information from the victim’s device.

Stealthy web injection capabilities

During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.

Example for Web-Inject:

Once a user is infected with the Kronos malware, the malware may wait for the user to enter their login credentials on a targeted website. At this point, the JavaScript component of the malware will begin to inject itself into the victim’s web browser, displaying a fake loading animation (commonly known as a “loader gif”) in order to obscure the fact that the user’s information is being stolen. This technique is commonly used by malware to avoid detection and increase the likelihood of successfully stealing sensitive information from the victim:

The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.

Main JavaScript function:

Ask_user Send command forgot username
Ask_pass Enter password
Ask_mobile_access_token Ask user to enter access mobile token
Ask_mobile_confirmation Ask mobile token confirmation
Ask_otp_access_token Ask for OTP for physical token
Ask_calc_access_token Second confirmation for token
Ask_calc_confirmation_token Third confirmation for token
Ask_email Ask for email address
Ask_info Request for landline and cellphone
Scroll to view full table

Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:

The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.

Example: hxxps://tomolina.top/uadmin/gate.php?pl=token&link=hsbc_mx1.1

C&C panel (uadmin)

The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.

Inside C&C (uadmin):

The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:

Main page:

Main Token Page:

This page contains logs of infected victims, including:

  • The last time the victim connected to the targeted bank.
  • The victim’s IP address.
  • Device information (e.g., operating system and web browser type).
  • The name of the targeted bank that the attacker has configured.
  • Quick data showing the victim’s login credentials.
  • The “redirect” feature, which redirects all existing and new bots to present links on each page.
  • The “block” feature, which blocks access to the page after the user enters their credentials.
  • Comments from the C&C owner.
The C&C admin page provides a robust view of victim activity and is an efficient way for attackers to collect victim data and user statistics that show the progress of their campaign. The C&C main features include:
  • Statistics on the number of infected bots and other metrics.
  • A list of infected bots, including their IP addresses and other details.
  • The ability to remotely control infected bots.
  • The ability to export logs of stolen information.
  • Settings for the stealer component of the malware.
  • A blacklist of web pages that the malware should not target.

Targeted financial institution: Mexico region

During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.

IOC:

In this instance, we were able to successfully retrieve Indicator of Compromise (IOC) from the JavaScript configuration file located at “8vZ9d1-ad.js”.

  • hxxps://dlxfreight.bid/mx/
  • hxxps://dlxfreight.bid/w1Q5DXr7te/gate.php
  • hxxps://pnlbanorte.dlxfreight.bid
  • hxxps://dlxfreight.bid/
  • hxxp://tomolina[.]top/
  • hxxps://facturacionmexico.net/choa.php
  • hxxps://dlxfreightmore.com

How to stay safe from Kronos

To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.

If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.

It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.

To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…