WannaCry ransomware hero is facing charges in the United States for developing Kronos banking trojan.
In August 2017, Marcus Hutchins (@MalwareTechBlog on Twitter) aka WannaCry ransomware hero was arrested in the United States by the FBI and charged with playing a vital role in the development of Kronos banking Trojan. He is still in the States facing Federal offenses however now a new variant of Kronos has been identified.
Originally, Kronos was discovered in July 2014 while stealing banking credentials from customers around the world primarily those in North America and the United Kingdom. The new version of Kronos was identified by Proofpoint in April 2018 targeting users in Japan, Poland, and Germany.
Dark web-based C&C
According to researchers, cybercriminals behind the trojan have rebranded it to “Osiris” and currently selling it on different underground marketplaces. The core difference that researchers noticed between Kronos and Osiris is its command and control (C&C) mechanism which has been refactored to use the Tor network.
Germany
Between June 27th to June 30th, researchers discovered an email campaign using malware-infected Word documents targeting users in Germany. In their campaign, cybercriminals were using spoofed emails addresses and pretending to represent German financial companies informing users about updating their terms and conditions related to the General Data Protection Regulation (GDPR).
The document contained malicious macros which once clicked would drop Kronos. In total, the email campaign targeted five Germany financial companies. In the last couple of months, users around the world received tons of GDPR related emails, therefore, it is not surprising that cybercriminals used the regulation to trick users.
In a similar campaign, last month, cybercriminal used GDPR to blackmail companies and threaten to publish the entire content of the database, containing personal data records, on a public server, that according to the regulation, means that the company will be severely fined.
Poland
In Poland, researchers found similar email campaigns containing fake invoice files targeting users from July 15th to 16th. This campaign used Equation Editor exploit to drop Kronos on victim’s device. It must be noted that in January 2018, Microsoft addressed the vulnerability and also issued its patch. Therefore, applying patches can protect users against Kronos trojan.
Japan
On July 13th, 13 financial institutions in Japan were hit by a malvertising campaign in which cybercriminals used Smoke Bot or Smoke Loader to drop Kronos trojan. According to researchers, the same campaign was previously used to download Zeus Panda malware.
New attack
On July 20th, Proofpoint researchers spotted a new campaign infecting computers with Kronos trojan. In this campaign, cybercriminals are running a website claiming to provide a download file for Stream EYE music player. Once the user clicks on the “GET IT NOW” button it drops Kronos download file on the system.
“Kronos uses man-in-the-browser techniques along with web inject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions. It also has keylogging and hidden VNC functionality to help with its “banker” activities,” explained Proofpoint researchers.
MalwareTech’s response
As mentioned before, Marcus Hutchins is facing charges for allegedly creating Kronos banking Trojan. Hutchins is the same security researcher who halted the spread of WannaCry ransomware and got the nickname of WannaCry hero. In response to Proofpoint’s findings, Hutchins tweeted about the new variant of Kronos and said that “I’m still on trial for writing Kronos, meanwhile the real author is still updating the code.”
To protect yourself from Kronos and other banking malware make sure never to download files from unknown emails, never click links received from anonymous senders, keep your system updated and run anti-virus scan regularly.
Image credit: Depositphotos