Kronos (Malware Family)

Kronos

aka: Osiris

VTCollection URLhaus

Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.

References

2022-10-31 ⋅ paloalto Netoworks: Unit42 ⋅ Or Chechik
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-02-08 ⋅ Intel 471 ⋅ Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar

2021-05-11 ⋅ The Record ⋅ Catalin Cimpanu
Osiris banking trojan shuts down as new Ares variant emerges
Kronos

2021-03-30 ⋅ Zscaler ⋅ Brett Stone-Gross
Ares Malware: The Grandson of the Kronos Banking Trojan
Ares Kronos

2021-02-08 ⋅ Morphisec ⋅ Michael Dereviashkin
Long Live, Osiris; Banking Trojan Targets German IP Addresses
Kronos

2020-08-14 ⋅ Twitter (@3xp0rtblog) ⋅ 3xp0rt
Tweet on Osiris
Kronos

2020-08-09 ⋅ F5 Labs ⋅ Debbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus

2019-10-29 ⋅ Dissecting Malware ⋅ Marius Genheimer
Osiris, the god of afterlife...and banking malware?!
Kronos

2019-04-19 ⋅ ZDNet ⋅ Catalin Cimpanu
Security researcher MalwareTech pleads guilty
Kronos

2018-07-24 ⋅ Proofpoint ⋅ Proofpoint Staff
Kronos Reborn
Kronos

2017-12-11 ⋅ Group-IB ⋅ Group-IB
MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter

2017-08-29 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Inside the Kronos malware – part 2
Kronos

2017-08-18 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Inside the Kronos malware – part 1
Kronos

2016-11-15 ⋅ Proofpoint ⋅ Proofpoint Staff
Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware
Kronos ScanPOS

2016-10-17 ⋅ Malwarebytes ⋅ Jérôme Segura
New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader

2015-12-01 ⋅ Trend Micro ⋅ Erika Mendoza, Jay Yaneza
Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings

Yara Rules

[TLP:WHITE] win_kronos_auto (20260504 | Detects win.kronos.)

rule win_kronos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.kronos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8955f8 ff15???????? 8b4df8 6a40 6800300000 51 57 }
            // n = 7, score = 2800
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   ff15????????         |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   51                   | push                ecx
            //   57                   | push                edi

        $sequence_1 = { 8b4d10 33c0 85c9 7629 66833c4600 741d }
            // n = 6, score = 2800
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx
            //   7629                 | jbe                 0x2b
            //   66833c4600           | cmp                 word ptr [esi + eax*2], 0
            //   741d                 | je                  0x1f

        $sequence_2 = { ffd1 8b5dfc 83c408 83fb01 7416 85ff 7410 }
            // n = 7, score = 2800
            //   ffd1                 | call                ecx
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   83c408               | add                 esp, 8
            //   83fb01               | cmp                 ebx, 1
            //   7416                 | je                  0x18
            //   85ff                 | test                edi, edi
            //   7410                 | je                  0x12

        $sequence_3 = { 8b00 52 8b550c 8d8ed8000000 52 8d55d8 }
            // n = 6, score = 2800
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   52                   | push                edx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8d8ed8000000         | lea                 ecx, [esi + 0xd8]
            //   52                   | push                edx
            //   8d55d8               | lea                 edx, [ebp - 0x28]

        $sequence_4 = { 56 57 6a28 e8???????? 8bf8 83c404 85ff }
            // n = 7, score = 2800
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a28                 | push                0x28
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   85ff                 | test                edi, edi

        $sequence_5 = { 7905 49 83c9f0 41 0f85bc000000 99 }
            // n = 6, score = 2800
            //   7905                 | jns                 7
            //   49                   | dec                 ecx
            //   83c9f0               | or                  ecx, 0xfffffff0
            //   41                   | inc                 ecx
            //   0f85bc000000         | jne                 0xc2
            //   99                   | cdq                 

        $sequence_6 = { 894804 c7400800000000 5e 8be5 5d c20c00 8b4508 }
            // n = 7, score = 2800
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   c7400800000000       | mov                 dword ptr [eax + 8], 0
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_7 = { 85d2 7418 8b5104 895008 85d2 }
            // n = 5, score = 2800
            //   85d2                 | test                edx, edx
            //   7418                 | je                  0x1a
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   85d2                 | test                edx, edx

        $sequence_8 = { 0f85bc000000 99 83e20f 03c2 57 8bf8 }
            // n = 6, score = 2800
            //   0f85bc000000         | jne                 0xc2
            //   99                   | cdq                 
            //   83e20f               | and                 edx, 0xf
            //   03c2                 | add                 eax, edx
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax

        $sequence_9 = { 56 e8???????? 8bf8 eb1d 81fb05000080 7408 81fb230000c0 }
            // n = 7, score = 2800
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   eb1d                 | jmp                 0x1f
            //   81fb05000080         | cmp                 ebx, 0x80000005
            //   7408                 | je                  0xa
            //   81fb230000c0         | cmp                 ebx, 0xc0000023

    condition:
        7 of them and filesize < 1302528
}

Download all Yara Rules

Kronos Propose Change

References

Yara Rules

Kronos