Kronos is here…
Early in July, news regarding an alleged new Banking Trojan called Kronos have shown up in underground forums. Unfortunately there were no real evidences to confirm the existence of this threat, except for the selling ads highlighting its main features, which were:
- Credential stealing and form grabbing that supports Internet Explorer, Firefox y Chrome
- HTML web injection (technique used to perform Man in the Browser attacks)
- Rootkit that works on 32/64 bit operating systems
- Antivirus evasion
- Sandbox evasion
- Encrypted communication channel with the C&C
Well, it certainly did not take too long for it to appear in the wild…
Last week our Automatic Malware Analysis Platform detected a suspicious binary that grabbed our attention. After taking a closer look at it, it contained a string that caught our eye:
Once we got “hands on” with the reversing we found evidences which confirmed that, indeed, its features matched with those attributed to Kronos.
As a curiosity we noticed some sort of hidden message which may had been left there for us, for the analysts in mind, saying: “keep digging” due -we guess- to the sample’s heavy protection and anti reverse engineering tricks:
We can see that message above, among other decoded strings such as the User Agent strings it uses and a list of common debugging tools and virtualization software process names.
Once we managed to fool the Trojan that it was not running under a controlled environment, we were able to see the malware in action as it connected to the C&C and downloaded its configuration file which, as usual, is encrypted…
This particular sample config file targeted only French financial institutions, but there may be other samples in the wild using different settings against different banking systems.
Finally, this is how the admin login page looks like for the webinjects and also for the main control panel:
Thanks for reading, and please come back for further information we hope to publish soon.
The MD5 signature of the file analyzed by S21sec was: f085395253a40ce8ca077228c2322010