loader gif

Osiris: New Kronos malware variant exploits Microsoft Office flaw to harvest banking credentials

Osiris: New Kronos malware variant exploits Microsoft Office flaw to harvest banking credentials
  • Discovered back in July 2014, the original Kronos malware is being sold on a Russian underground forum for a hefty $7000.
  • The malware can harvest information from users checking their bank accounts online or use keylogging to harvest their credentials and other valuable data.

A new variant of the banking Trojan Kronos has been discovered leveraging a Microsoft Office vulnerability to harvest banking information and hijack accounts. Securonix researchers spotted the new variant called Osiris in July this year.

Discovered back in July 2014, the original Kronos malware is being sold on a Russian underground forum for a hefty $7000. The newly discovered Osiris has been discovered in three different campaigns targeting Germany, Japan and Poland, researchers said.

Osiris comes with multiple new features such as Tor network command-and-control (C&C), remote control via VNC and keylogging. It also sports some older features seen in the original Kronos malware such as form grabbing and web-injection capabilities.

Kronos/Osiris is primarily being distributed via phishing emails that contain carefully crafted Microsoft Office documents or RTF attachments embedded with macros that drop and execute obfuscated VB stagers. The malware is also being distributed via exploit kits such as RIG EK as well.

The malicious documents exploit CVE-2017-11882 - a buffer flow vulnerability in the Microsoft Office Equation Editor Component that was discovered back in 2017. The flaw allows the attacker to perform arbitrary code execution. Although the 17-year-old bug was eventually patched in mid-November 2017, systems that haven't implemented the patch are vulnerable to the malware.

Kronos/Osiris has its C2 server hosted in Tor and is able to connect to multiple Tor notes located in various countries to communicate with its C2 server. Some versions of the malware also support remote control via a custom LibVNCServ- er library.

The malware also uses anti-VM and anti-Sandbox mechanisms to evade detection or analysis by experts. To maintain persistence, Kronos copies itself into the C: \Users\%\AppData\Roaming folder and writes itself to startup.

"In many cases, the malware also modifies the internet zones settings using registry and lowers the security settings of Firefox to evade being blocked while using man-in-browser attack to webinject into banking websites," researchers noted in a report.

Once executed, Kronos/Osiris attempts to steal data from multiple sources.

"The primary method of collection is through a man-in-browser attack to webinject malicious script into banking websites and grabbing form values," researchers said. "The malware downloads the latest configurations (specifies the location of script injection in the website) of target banking websites from the C2."

Leveraging the malware, the attackers can harvest information from users checking their bank accounts online or use keylogging to harvest their credentials and other valuable data.

Users have been advised to patch operating systems and software firmware, particularly Microsoft Office products. They have also been advised to block all connections to the known Tor nodes on the proxy and firewall, leverage a centralized patch management systems and implement an end-user security training program.

loader gif