The evolution of Kronos malware

The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.

After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.

Kronos made yet another resurgence — this time combined with ransomware — and in late 2022 IBM Security Trusteer saw an increase in Kronos malware activity in Mexico. In these attacks, it was used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.

A brief review of the Kronos malware attack in Mexico

The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).

This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.

The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call to an external resource and inject a malicious JavaScript payload. Once the malicious chrome extension is installed, if the user attempts to access one of the targeted Mexican financial institutions, the extension will inject malicious JavaScript with the name: “8vZ9d1-ad.js” or “ok.js”:

This payload can then be used to steal sensitive information from the victim’s device.

Stealthy web injection capabilities

During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.

Example for Web-Inject:

Once a user is infected with the Kronos malware, the malware may wait for the user to enter their login credentials on a targeted website. At this point, the JavaScript component of the malware will begin to inject itself into the victim’s web browser, displaying a fake loading animation (commonly known as a “loader gif”) in order to obscure the fact that the user’s information is being stolen. This technique is commonly used by malware to avoid detection and increase the likelihood of successfully stealing sensitive information from the victim:

The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.

Main JavaScript function:

Ask_user Send command forgot username
Ask_pass Enter password
Ask_mobile_access_token Ask user to enter access mobile token
Ask_mobile_confirmation Ask mobile token confirmation
Ask_otp_access_token Ask for OTP for physical token
Ask_calc_access_token Second confirmation for token
Ask_calc_confirmation_token Third confirmation for token
Ask_email Ask for email address
Ask_info Request for landline and cellphone
Scroll to view full table

Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:

The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.

Example: hxxps://tomolina.top/uadmin/gate.php?pl=token&link=hsbc_mx1.1

C&C panel (uadmin)

The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.

Inside C&C (uadmin):

The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:

Main page:

Main Token Page:

This page contains logs of infected victims, including:

  • The last time the victim connected to the targeted bank.
  • The victim’s IP address.
  • Device information (e.g., operating system and web browser type).
  • The name of the targeted bank that the attacker has configured.
  • Quick data showing the victim’s login credentials.
  • The “redirect” feature, which redirects all existing and new bots to present links on each page.
  • The “block” feature, which blocks access to the page after the user enters their credentials.
  • Comments from the C&C owner.
The C&C admin page provides a robust view of victim activity and is an efficient way for attackers to collect victim data and user statistics that show the progress of their campaign. The C&C main features include:
  • Statistics on the number of infected bots and other metrics.
  • A list of infected bots, including their IP addresses and other details.
  • The ability to remotely control infected bots.
  • The ability to export logs of stolen information.
  • Settings for the stealer component of the malware.
  • A blacklist of web pages that the malware should not target.

Targeted financial institution: Mexico region

During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.

IOC:

In this instance, we were able to successfully retrieve Indicator of Compromise (IOC) from the JavaScript configuration file located at “8vZ9d1-ad.js”.

  • hxxps://dlxfreight.bid/mx/
  • hxxps://dlxfreight.bid/w1Q5DXr7te/gate.php
  • hxxps://pnlbanorte.dlxfreight.bid
  • hxxps://dlxfreight.bid/
  • hxxp://tomolina[.]top/
  • hxxps://facturacionmexico.net/choa.php
  • hxxps://dlxfreightmore.com

How to stay safe from Kronos

To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.

If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.

It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.

To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today