A new variant of the Kronos banking trojan, which was first identified in 2014 and disappeared abruptly a few years later, has been discovered by Proofpoint researchers.
The new version, which they suspect has been rebranded ‘Osiris’, has been used to target victims in Germany, Poland and Japan. It was initially spotted in April 2018, and apart from a few updates – notably the command and control mechanism having been refactored to use the Tor network – is extremely similar to Kronos, including a string of code which identifies it as such.
The first samples spotted are thought to have been tests, with the first serious campaign observed at the end of June as part of an email campaign targeting German users. The emails sent out claimed to be from financial companies, with subject lines such as “Aktualisierung unsere AGBs” (“Updating our terms and conditions”) – perhaps attempting to camouflage itself among the flood of GDPR-related emails many received. The emails included correspondingly-titled documents, containing macros which (if enabled) would download and execute the trojan, sometimes via SmokeLoader.
In July, the trojan was seen again in a campaign targeting Japanese users. This campaign used malvertising to send users to a site containing malicious web injections which distributed SmokeLoader. The Proofpoint researchers said that based on their previous tracking of a threat actor involved in the campaign they had expected the final payload to be Zeus Panda, but instead the trojan delivered was the new variant of Kronos.
The campaign targeting Polish users was observed a few days after the Japanese campaign. Like the German campaign, emails purporting to be from financial companies asked users to download a document, which in turn downloaded and executed the new Kronos variant, this time by exploiting CVE-2017-11882.
Later in the month, the researchers also discovered a new campaign, which appeared to be a work in progress. The exact intended attack vector of this campaign is unknown, but the website utilised branded itself as a music streaming service available for download. Clicking on the download link would have downloaded the Kronos variant.
At around the same time that the ‘2018 Kronos’ samples began appearing in the wild, an ad for a banking trojan named ‘Osiris’ appeared on a dark web forum. Proofpoint researchers were unable to obtain a sample of Osiris, but the features and file size (approx 350KB) described in the ad closely match an early sample of the new Kronos variant, which was named ‘os.exe’. The researchers also noted that some of the names mentioned in the ad were also used in the new Kronos variant samples targeting Japanese users.
Marcus Hutchins, who (a few months after being hailed a hero for stopping the spread of WannaCry) was accused of writing the code for Kronos, tweeted in response to the Proofpoint blog post, saying “I’m still on trial for writing Kronos, meanwhile the real author is still updating the code”.