Kronos Banking Trojan Makes A Comeback

Updated on October 11, 2022, by Xcitium

Kronos Banking Trojan Makes A Comeback

Kronos malware was initially discovered in 2014 and maintained a steady presence on the threat landscape for a few more years, before vanishing for a while. Recently, a variant of Kronos Banking Trojan targeted users in Germany, Japan, and Poland.

This infamous Kronos banking Trojan that has now returned all over again uses web injects and man-in-the-browser (MiTB) attacks to alter accessed web pages and steal users’ account information, credentials, and other such essential data. Besides having hidden VNC functionality, it can also log keystrokes.

Researchers identified three campaigns distributing a renewed version of this banking Trojan. These three campaigns have been targeting Germany, Japan, and Poland. A fourth campaign also seems to be in progress.

  • Campaign One: The first campaign to carry the latest Kronos samples took place on June 27. This campaign targeted German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware, and the SmokeLoader Trojan downloader was used in a few cases.
  • Campaign Two: The second campaign targeting Japan was observed on July 13 and involved a malvertising chain. Malicious ads directed users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. This was followed by the downloader dropping Kronos onto the compromised machines.
  • Campaign Three: The campaign targeting Poland started on July 15 and involved fake invoice emails carrying malicious documents that tried to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos. The Kronos samples observed in all three campaigns were designed to use .onion domains for C&C purposes. Additionally, the researchers observed that web injects were employed in the Japanese and German campaigns, but none were seen in the attacks on Poland.
  • Campaign Four: A fourth campaign that commenced on July 20 appeared to be a work in progress. The Kronos samples were configured all over again to use the Tor network and a test web inject was spotted.

What You’ll Find In The New Variant Of The Kronos Banking Trojan

Here are some details on the 2018 Kronos samples:

  • They’re available with an extensive code and string overlap with the older versions
  • They abuse the same Windows API hashing technique and hashes
  • They abuse the same string encryption technique
  • They feature the same C&C encryption mechanism and protocol
  • They leverage the same web inject format

The C&C panel file layout is very much like the older variants and a self-identifying string is also present in the malware. However, the major change is the use of .onion C&C URLs and the Tor network to anonymize communications.

There is some circumstantial evidence indicating that this latest variant of Kronos has been rebranded ‘Osiris’ (the Egyptian god of rebirth) and is being sold on underground markets.

This new malware variant is being advertised on underground forums as having capabilities that overlap with those observed in the new version of Kronos, and also having almost the same size (at 350 KB). The researchers further observed a file naming scheme in Kronos that appears to indicate a connection with Osiris.

Xcitium Advanced Endpoint Protection Will Protect Your Banking Information

Endpoint protection prevents targeted attacks and advanced persistent threats (APTs) which can’t be prevented by solely using antivirus solutions. Endpoint security solutions can provide enterprises with a complete spectrum of security solutions that can be centrally managed, and enables securing workstations, endpoints, servers, etc.

All the unknown files are quarantined by Xcitium Advanced Endpoint Protection (AEP) in auto-containment, which is a virtual container in which suspicious files can be examined and executed instantly and safely. Xcitium AEP operates from a Default Deny Platform in order to focus on complete enterprise visibility while the endpoints connected over the organization’s network are malware-free. Its console of IT and security management helps handle Linux, OSX, iOS, Windows, and Android devices linked to all the physical and virtual networks.

How Xcitium Advanced Endpoint Protection Works:

  • AEP employs the Default Deny PlatformTM to block bad files and automatically contain unknown files in a virtual container, with the help of Intelligent Automatic Containment technology.
  • The Xcitium VirusScope technology helps to examine unknown files at the endpoint, for malicious actions and behavior.
  • Valkyrie provides a cloud-based accelerated verdict within almost 45 seconds, based on dynamic, static, and human analyst interaction.
  • Malicious files are removed, good files are permitted to run on the endpoint CPU and unknown files are contained in the lightweight virtual container on the endpoint and examined in real-time.
  • Advanced Endpoint Protection can be provisioned within just a minute; it uses negligible CPU resources and needs an endpoint footprint of only about 10 MB. The program provides absolute security for both virtual and physical endpoints in both small and big enterprises.

See Also:

Endpoint Security
Trojan Virus

See our Unified Zero Trust (UZT) Platform in Action
Request a Demo

Protect Against Zero-Day Threats
from Endpoints to Cloud Workloads

Product of the Year 2025
Newsletter Signup

Please give us a star rating based on your experience.

1 Star2 Stars3 Stars4 Stars5 Stars (19 votes, average: 2.37 out of 5)
Expand Your Knowledge
What Is DSL
What Is DSL: A Deep Dive into Digital Subscriber Line Technology

Ever wondered what is DSL and whether it’s still relevant in today’s high-speed world? DSL—sho...
How Can Ransomware Get On Your PC?
How Does Ransomware Get On Your PC?

Ransomware attacks are becoming rampant. And it’s solely knowing to stop your laptop and knowledge...
What Are ERP Systems
What Are ERP Systems? Everything You Need to Know

Ever wonder what are ERP systems and why they matter to businesses of every size? In today’s d...
mac menu bar icons not showing
Mac Menu Bar Icons Not Showing? Here’s How to Fix It Quickly

Ever looked up and thought—“Where did all my Mac menu bar icons go?” You’re not alone. Wheth...
How fast is 5G Internet
How Fast Is 5G Internet? A Complete Guide for Businesses and Tech Leaders

If you’ve ever wondered how fast is 5G internet compared to 4G, you’re not alone. Businesses, IT...
what is cyber attack
What Is Cyber Attack? Understanding Threats in the Digital Age

With headlines regularly featuring ransomware, data breaches, and digital sabotage, it’s no su...
How to Remove Gandcrab v5-0-4 Ransomware
Gandcrab V5 0.4 Ransomware Removal Instructions

More and more strains of ransomware have spread all over the world enacting its criminal intent on i...
how to fix packet loss
How to Fix Packet Loss: A Complete Guide for IT and Cybersecurity Leaders

Ever been on a video call where voices cut out or gameplay lags badly? Chances are you’ve experien...
How to Compress a File
How to Compress a File: Complete Guide for IT Managers & Businesses

Have you ever tried sending a large document or software package only to get a “file too large” ...
how to find bitlocker recovery key
How to Find BitLocker Recovery Key: A Complete Guide for Professionals

Have you ever been locked out of your own computer after a system update or hardware change? If so, ...
how do i delete a directory in linux
How Do I Delete a Directory in Linux? A Complete Guide for IT and Security Leaders

Have you ever asked yourself, “How do I delete a directory in Linux without making a mistake?” I...
What Does Exploit Mean
What Does Exploit Mean? A Deep Dive into Cybersecurity Exploits

Cybersecurity threats are evolving at lightning speed—and exploits are at the heart of most of the...

By clicking “Accept All" button, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookie Disclosure

Manage Consent Preferences

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.