Skip to content ↓ | Skip to navigation ↓

The Kronos banking trojan has returned with several new attack campaigns as well as a few updates.

In April 2018, researchers at Proofpoint detected a new variant of the malware. It’s the first time Kronos surfaced after largely disappearing from the threat landscape. Given that absence, the trojan’s operators didn’t waste any time in getting up to no good.

Proofpoint observed the first malware campaign at the end of June. As part of that operation, bad actors posed as German financial companies and sent attack emails to German users with subject lines informing them of updates made to their terms and conditions. Other versions of the campaign notified them of a “reminder.” All instances of the campaign contained Word documents that used malicious macros to download Kronos.

The second and third campaigns both occurred in mid-July. For the former, attackers targeted Japan with a malvertising chain that sent users to websites containing malicious JavaScript. Those sites redirected users to the RIG exploit kit that distributed Smoke Loader, just one type of malware served by the compromised website of a Ukraine-based accounting software developer back in August 2017. Smoke Loader then downloaded Kronos.

For the third campaign, nefarious individuals targeted Polish users with emails notifying recipients of fake invoices. Attached were Word documents that activated Kronos through the help of malicious macros.

In the days that followed, the researchers also spotted a “work in progress” campaign with Kronos downloaded from a “GET IT NOW” button on a website claiming to be a music streaming service.

Website distributing Kronos in “Work in progress” campaign. (Source: Proofpoint)

Most of these campaigns shed light on an important change made to the banking trojan: the threat now uses .onion C&C URLs and Tor. This technique anonymizes Kronos’s communications and thereby helps it evade detection.

More than that update, Proofpoint’s team has reason to believe that someone has rebranded Kronos as another malware. Earlier in the spring, they saw ads for a banking trojan called “Osiris” that shares some features with the malware. They are both banking trojans that are approximately 350 KB in size, for example, and both use Zeus-formatted webinjects and Tor within their campaigns.

Researchers at Proofpoint feel these updates, not to mention Kronos’s return in general, tie into greater trends within the threat landscape. As they noted in a blog post:

The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. The first half of this year has been marked by substantial diversity among malicious email campaigns but banking Trojans in particular have predominated. The Kronos banking Trojan has a relatively long and interesting history and it looks like it will continue as a fixture in the threat landscape for now.

To protect their employees against threats like Kronos, organizations should implement email filtering solutions and conduct ongoing security awareness training with their employees.