Kronos is here…

Early in July, news regarding an alleged new Banking Trojan called Kronos have shown up in underground forums. Unfortunately there were no real evidences to confirm the existence of this threat, except for the selling ads highlighting its main features, which were:

  • Credential stealing and form grabbing that supports Internet Explorer, Firefox y Chrome
  • HTML web injection (technique used to perform Man in the Browser attacks)
  • Rootkit that works on 32/64 bit operating systems
  • Antivirus evasion
  • Sandbox evasion
  • Encrypted communication channel with the C&C

Well, it certainly did not take too long for it to appear in the wild…

Last week our Automatic Malware Analysis Platform detected a suspicious binary that grabbed our attention. After taking a closer look at it, it contained a string that caught our eye:

Once we got “hands on” with the reversing we found evidences which confirmed that, indeed, its features matched with those attributed to Kronos.

As a curiosity we noticed some sort of hidden message which may had been left there for us, for the analysts in mind, saying: “keep digging” due -we guess- to the sample’s heavy protection and anti reverse engineering tricks:

We can see that message above, among other decoded strings such as the User Agent strings it uses and a list of common debugging tools and virtualization software process names.

Once we managed to fool the Trojan that it was not running under a controlled environment, we were able to see the malware in action as it connected to the C&C and downloaded its configuration file which, as usual, is encrypted…

… we were able to decode it and unsurprisingly contained Zeus-style “web injects” (a mix of HTML and Javascript code used to trick the user).

Below is a snippet from the decoded configuration file showing Javascript code that once injected into the session of the victim’s browser is able to drive the user through the various steps needed to complete a fraudulent transaction without the user’s awareness:

This particular sample config file targeted only French financial institutions, but there may be other samples in the wild using different settings against different banking systems.

Finally, this is how the admin login page looks like for the webinjects and also for the main control panel:

Thanks for reading, and please come back for further information we hope to publish soon.

Jozsef Gegeny

S21sec Ecrime
The MD5 signature of the file analyzed by S21sec was: f085395253a40ce8ca077228c2322010

Deja un comentario

  • PE00 5 August, 2014 a las 1:03 pm Reply

    I had a look at the file mentioned (f085395253a40ce8ca077228c2322010) using PEStudio but I don't find the Kronos PDB string! Am I missing something?

  • S21sec e-crime 6 August, 2014 a las 8:02 am Reply

    Hi! it needs first to be unpacked 😉

  • Pavel Topolev 9 October, 2014 a las 3:25 pm Reply

    How as it dropped?

  • Pavel Topolev 9 October, 2014 a las 3:25 pm Reply

    How was it dropped?