New Trojan from the Russian Underground

While major players like Zeus, Gozi, Citadel and other advanced financial malware dominate the malware threat landscape, newcomers and challengers always try to get a share of the cyber crime market. One such new malware that was recently made available for purchase in a Russian underground forum is the Kronos malware. With a $7,000 price tag, this malware offers multiple modules for evading detection and analysis as well as an option to test the malware for a week prior to buying it.

Note that the following descriptions of Kronos are based solely on entries in the underground forum; Trusteer, an IBM company, has not yet analyzed a malware sample in order to validate the seller’s claims.

Kronos Malware: Like Father, Like Son?

We recently found a cyber criminal offering the Kronos malware to members of a major Russian underground forum. The forum post details several of the malware’s technical capabilities and concludes with information on business and purchase options. From the malware’s description, several elements are worth noting:

  • Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome);
  • 32- and 64-bit ring3 (user-mode) rootkit capable of also “defending from other Trojans”;
  • Antivirus bypassing;
  • Malware-to-C&C communication encryption;
  • Sandbox bypassing.

Consistent with other financial malware developments, it seems that significant time and effort were given to evading security tools used both by end users and security white hats. In addition, the HTML injection mechanism is compatible with Zeus. Because Zeus is the most widely deployed malware, and it is likely that potential clients have used or still use Zeus variants, the authors of Kronos made sure that the HTML injection files used by Zeus operators can be easily implemented with Kronos. Coincidence or not, it is also worth noting that in Greek mythology, Kronos is Zeus’ father.

The business side of this offer is interesting as well. Most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks. Comparatively, the Kronos malware carries a hefty cost of $7,000. This price, however, is not the first time a new malware seller has demanded a premium. Approximately four years ago, Carberp was released and priced at $10,000 (and $15,000 for the addition of the VNC module, which is almost a standard capability of today’s financial malware). The Kronos seller also offers a one-week testing server for $1,000, during which time a potential client will have access to the malware’s control panel and all the bot’s capabilities.

The authors promise to develop new modules for the malware (which will be charged separately), along with updates and bug fixes (free of charge). The preferred payment methods for this deal are various forms of e-currency such as Perfect Money and Bitcoin. As an incentive, early buyers are promised a discounted price.

It remains to be seen how popular Kronos will be within the cybercrime community. Trusteer’s security team continues to monitor underground forums for new threats as well as analyze, reverse engineer and study new malware files.

I present you a new banking Trojan

Compatible with 64 and 32bit rootkit Trojan is equipped with the tools to give you successful banking actions.Formgrabber: Works on Chrome, IE, FF in latest versions. Works on the majority of older versions as well. Steals logs from each website Webinjects: Works on latest Chrome, IE, FF, latest and majority of older versions. Injections are in Zeus config format, so it’s easy to transfer the config from one another.32 and 64bit Ring3 rootkit: The Trojan also has a ring 3 rootkit that defends it from other Trojans.

Proactive Bypass: The Trojan uses an undetected injection method to work in a secure process and bypass proactive anti-virus protections. Encrypted Communication: Connection between bot and panel is encrypted to protect against sniffers. Usermode Sandbox and rootkit bypass: The Trojan is able to bypass any hook in usermode functions which bypasses rootkits or sandboxes which use these hooks.

1000$ a week of testing. The server will be hosted only for you. You need just a domain or a payment including the domain fee. You’ll have full access to the C&C, without any limits or restrictions during test mode.7000$ Lifetime product license, free updates and bug removals. New modules will not be free , and you will need to pay additionally. We accept Perfect Money, Bitcoin, WMZ, BTC-E.comCurrently the Trojan is written in its fullest. Next week we will have tests and bug fixing, then release. Pre-ordering the Trojan will give you a discount.

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read