New banking malware 'Kronos' advertised on underground forums

Its creators seek to establish the new threat as a premium commercial alternative to older Trojans like Zeus

A new Trojan program designed to steal log-in credentials and other financial information from online banking websites is being advertised to cybercriminal groups on the underground market.

The new malware is called Kronos, and based on a recent ad seen in a Russian cybercriminal forum it can steal credentials from browsing sessions in Internet Explorer, Mozilla Firefox and Google Chrome by using form-grabbing and HTML content injection techniques, said Etay Maor, a senior fraud prevention strategist at IBM subsidiary Trusteer, Friday in a blog post.

According to the ad, the new threat is compatible with content-injection scripts -- also known as Web injects -- developed for Zeus, a popular online banking Trojan that's no longer in development. This design decision is intended to allow cybercriminals who still use Zeus variants in their operations to easily switch to Kronos.

In addition to the information-theft capabilities, the new Trojan has a user-mode rootkit component for 32-bit and 64-bit Windows systems that can protect its processes from competing malware. Its creator also claims that Kronos can evade antivirus detection and sandbox environments typically used for malware analysis.

The new cybercriminal tool is being advertised for $7,000, a price that includes the promise of continued development, free upgrades and bug fixes.

"Most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks," Maor said. "It remains to be seen how popular Kronos will be within the cyber crime community," he said.

The premium price suggests that Kronos is aimed to be a replacement for former commercial crimeware toolkits like Zeus, Carberp and SpyEye, whose development has been discontinued or whose source code has been leaked in recent years.

According to researchers from Kaspersky Lab, who have also seen the Kronos advertisements on several underground forums last week, the new online banking threat appears to be based on the source code of Carberp.

The screen shots posted by Kronos' author demonstrate fragments of code injected into other processes and the code looks pretty similar to Carberp's, said Dmitry Tarakanov, senior security researcher at Kaspersky Lab, Monday via email.

Carberp has also been sold to cybercriminals in the past at a premium price, but the malware's source code was leaked online last year, possibly after internal disputes between its creators.

Trusteer and Kaspersky Lab have yet to obtain a sample of Kronos for analysis.

The $7,000 price is not a sum that would scare off serious cybercriminals if the offer is solid, Tarakanov said. "Professional groups can make hundreds of thousands [of dollars], so $7,000 is more than acceptable for them."

Without third-party analysis the claims made by Kronos' creator should be viewed with skepticism, said Chris Boyd, malware intelligence analyst at Malwarebytes, via email. "In particular, sandbox bypassing is a very broad claim -- there are multiple sandboxes and they all have many ways to defeat evasive malware. Getting around one could well be doable, but all of them? It's probably unlikely, and if it could do that one suspects it would fetch a much higher asking price."

The promise of continued support and bug fixes might be one of the most attractive features of Kronos, according to Tim Erlin, director of security and risk at Tripwire.

"Anyone running a business requires stable and secure software to do so, and that includes cybercriminals," Erlin said. "Being new, and therefore harder to detect, is [also] a feature in and of itself."

News of this new online banking malware threat comes after law enforcement agencies from several countries at the beginning of June worked with security vendors to shut down a financial fraud botnet based on a Zeus spin-off called Gameover. The FBI estimates that the botnet led to losses of over US$100 million globally.

On Friday, security researchers from CSIS Security Group in Denmark reported that the source code of yet another online banking Trojan called Tinba was leaked on underground forums.

"The cybercriminal underground is a market," Tarakanov said. "Source code leakages and botnet shutdowns have been happening constantly but we see virus writers from time to time come up with new (or based on old but modified) banking malware. It proves that the market wants such tools."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyIBMsecurityTripwireMalwarebytesspywaremalwarekaspersky labfraudTrusteer

More about FBIGoogleIBM AustraliaKasperskyKasperskyKronos AustraliaMalwarebytesMozillaTripwireTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place