Kronos banking Trojan re-emerges after re-tooling and re-brand as Osiris

Germany, Japan and Poland targetted in new banking Trojan campaign, according to Proofpoint

The Kronos banking Trojan, the malware linked with security researcher Marcus Hutchins, has re-emerged following a re-tooling, and a re-branding as Osiris.

It first made an appearance in 2014, used largely in malware campaigns in the UK and Japan before disappearing.

Now, Proofpoint claims to have uncovered a variant in the wild in campaigns in Germany, Japan and Poland. The company warns that a new campaign is currently being tested, after the first samples of this new variant uncovered in April 2018.

The Trojan has been propagated via a variety of methods, including a phishing campaign in Germany taking advantage of Word macros, targeting users of five German banks; a malvertising attack in Japan sending victims to a site riddled with malicious JavaScript injections; and, a phishing campaign bearing fake Microsoft Word invoice documents in Poland.

The campaigns have been run during June and July, with a second campaign opening in Poland just last week on 20 July.

Kronos "is a banking Trojan that uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions. It also has keylogging and hidden VNC functionality to help with its ‘banker' activities," explained Proofpoint in a research paper.

One of the main differences between old and new Kronos is that the new variant using.onion command and control, along with Tor, in a bid to anonymise communications.

Proofpoint believes that the re-emergence of Kronos is linked to the emergence of Osiris, which was advertised earlier this year, offering features that overlap with samples of Kronos picked up in the recent campaigns.

Proofpoint warned that it provided further evidence that hackers were turning their attention from crypto-currency mining back to more direct money-making schemes.

"The first half of this year has been marked by substantial diversity among malicious email campaigns but banking Trojans in particular have predominated. The Kronos banking Trojan has a relatively long and interesting history and it looks like it will continue as a fixture in the threat landscape for now," it warned.

Hutchins is alleged to have written the Kronos Trojan in 2014 and sold it in 2015 via the AlphaBay malware darknet market shut down in July 2017. He was arrested in August 2017 when boarding a flight back from the US to the UK after attending a series of security events.

Hutchins shot to fame during the WannaCry ransomware outbreak when he discovered how to quickly and easily disable it. However, the FBI claims that Hutchins dabbled in malware writing for profit, but Hutchins has refuted the claims.

It is believed that the purchaser of Kronos from Hutchins was US-based and apprehended by the FBI when he sought to sell copies of Kronos to an FBI agent.

'VinnyK', as he is referred to in Hutchins' latest indictment, is believed to have pointed the finger of blame for creating the malware at Hutchins and does not appear to be facing any charges.