The Kronos banking Trojan is back after several years, as Proofpoint Inc. researchers found it targeting victims...
in Germany, Japan and Poland. How did researchers tie this new variant to the original Kronos, and what's different about the latest version?
In order to stay one step ahead of antimalware researchers, malware authors must continue to update their malware. This means malware authors must continue developing their attacks to add new capabilities to bypass advancing security controls. After largely being dormant for several years, a variant of the Kronos banking Trojan has recently returned with new functionality.
Proofpoint reported that Kronos "is a banking Trojan that uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions. It also has keylogging and hidden VNC [Virtual Network Computing] functionality to help with its 'banker' activities."
With the updated Kronos banking Trojan, attackers use Tor as a command-and-control mechanism to make it more difficult to take down the attacker's network. While Kronos may have been rebranded as Osiris, the updated malware has extensive similarities to previous versions, including its use of the same Windows APIs, string encryption, C&C format -- although, in this attack, it was used in Tor -- WebInject format and a similar C&C panel format.
However, antimalware detections don't depend on the name of the malware, and detection is based on the functionality or signatures.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.