Skip to main content

Meet Kronos: The new banking trojan you should be worrying about

A new variant of banking malware has begun to be advertised on online hacker forums, billing itself as the new hottest thing in the cybercriminal underground market.

The new malware is named Kronos, and judging by a recent ad seen on a Russian cybercriminal forum, it's capable of stealing credentials from browsing sessions in Internet Explorer, Mozilla Firefox and Google Chrome by using form-grabbing and HTML content injection techniques. If the advertisement is to be believed, Kronos can also evade both antivirus and so-called "sandboxing", where programs are only allowed to run in a limited part of the system.

Banking malware Zeus caused chaos over the years it was active, infecting 3.6 million PCs in the United States alone, and stealing millions of pounds from banks around the world (opens in new tab), including in the UK. It is most often used to steal banking information through man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware (opens in new tab).

Other big contenders are Gozi (opens in new tab) and Citadel (opens in new tab), which alone stole $500 million over its time online. Both of these have caused chaos in the financial system, and untold damage to businesses and individuals around the world.

The new malware doesn't come cheap, though. A budding cybercriminal will be set back $7,000 (£4,100) to get a copy, a premium price for a piece of malware. As though the distributors didn't seem confident enough in naming the malware after Kronos, the father of Zeus, they're also offering a week trial period for $1,000 to allow other hackers to make sure the malware is up to spec.

The malware developers seem to have taken a leaf out of Microsoft's book, too – selling software at a premium, but offering support for free. Indeed, the $7,000 price tag for Kronos also comes with free updates and technical support, should it be needed. Incidentally, the hackers are also accepting payments in Bitcoin.

So what have we learned from the spread of Zeus that could help us in battling Kronos?

Zeus was mainly spread through drive-by downloads and phishing schemes, so good Internet practice should keep you safe. Drive-by downloads may happen when visiting a website, viewing an e-mail message or by clicking on a deceptive pop-up window, which might claim to be an error message, for instance. Stay secure by treating all such messages with suspicion, and don't open any suspicious attachments in emails. Training your employees to do the same could pay real dividends in the future, too.

For more, check out our guide on how to stay safe and avoid nastiness like Cryptolocker when browsing the web (opens in new tab).

The full text of the hackers' advertisement, along with technical specifications, can be found below.

I present you a new banking Trojan+

Compatible with 64 and 32bit rootkit Trojan is equipped with the tools to give you successful banking actions.Formgrabber: Works on Chrome, IE, FF in latest versions. Works on the majority of older versions as well. Steals logs from each website Webinjects: Works on latest Chrome, IE, FF, latest and majority of older versions. Injections are in Zeus config format, so it's easy to transfer the config from one another.32 and 64bit Ring3 rootkit: The Trojan also has a ring 3 rootkit that defends it from other Trojans.+

Proactive Bypass: The Trojan uses an undetected injection method to work in a secure process and bypass proactive anti-virus protections. Encrypted Communication: Connection between bot and panel is encrypted to protect against sniffers. Usermode Sandbox and rootkit bypass: The Trojan is able to bypass any hook in usermode functions which bypasses rootkits or sandboxes which use these hooks.+

1000$ a week of testing. The server will be hosted only for you. You need just a domain or a payment including the domain fee. You'll have full access to the C&C, without any limits or restrictions during test mode.7000$ Lifetime product license, free updates and bug removals. New modules will not be free , and you will need to pay additionally. We accept Perfect Money, Bitcoin, WMZ, BTC-E.comCurrently the Trojan is written in its fullest. Next week we will have tests and bug fixing, then release. Pre-ordering the Trojan will give you a discount.+

Paul Cooper
Paul Cooper

Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine, and he was previously Staff Writer and Journalist at ITProPortal.