• The Kronos banking trojan has been rebranded as Osiris.
  • The new Kronos variant’s C2 server now uses the TOR network.

A new variant of the Kronos banking trojan has recently been discovered by security researchers. Kronos was first discovered in 2014 and was highly popular for a while, before largely disappearing from the threat landscape.

Security researchers at Proofpoint discovered a new Egyptian variant of Kronos earlier in July. The malware, which has been rebranded as Osiris, has been used by cybercriminals in attacks targeting victims located in Germany, Poland and Japan. Osiris is also currently being sold by the malware’s authors and/or operators in the dark web.

“Kronos malware has been well-documented previously. It is a banking Trojan that uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions,” Proofpoint researchers said in a blog. “It also has keylogging and hidden VNC functionality to help with its “banker” activities.”

Campaign timeline

Proofpoint researchers also found that the cybercriminals operating Osiris are also involved in a fourth campaign, which appears to be in development. The first campaign began on June 27 and targeted German users. In some cases, the campaign also used the SmokeLoader malware as an intermediary. Simultaneously, the hackers also launched another campaign targeting Japanese users, which also used SmokeLoader to drop Kornos.

The next campaign began on July 15 and targeted victims in Poland. The cybercriminals used the EquationEditor exploit to drop Kronos on targeted systems. Meanwhile, the most recent campaign, which began on July 20 and is believed to be a “work in progress”, is still ongoing. However, it is still unclear which nation this particular campaign will target.

Osiris’ similarities with Kronos

Osiris has several similarities with Kronos, including extensive code and string overlap as well as same C2 encryption and protocol. Osiris also shares the same Windows API hashing techniques and hashes as Kronos.

Like Kronos, Osiris is also a banking malware, capable of stealing credentials, as well as keylogging. However, one major difference between the two malware variants is the Osiris’ C2 is configured to use the TOR network.

According to an ad for Osiris that appeared on a dark web hacking forum, the malware is written in C++ and is 350KB in size.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. The Kronos banking Trojan has a relatively long and interesting history and it looks like it will continue as a fixture in the threat landscape for now,” Proofpoint researchers added. “While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan.

Cyware Publisher