SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kronos (Back to overview)

Kronos

aka: Osiris
URLhaus    

Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.

References
2022-10-31paloalto Netoworks: Unit42Or Chechik
@online{chechik:20221031:banking:c421ac8, author = {Or Chechik}, title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}}, date = {2022-10-31}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/}, language = {English}, urldate = {2022-10-31} } Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220727:gootkit:f1c63fa, author = {Buddy Tancio and Jed Valderama}, title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}}, date = {2022-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html}, language = {English}, urldate = {2022-07-29} } Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2021-05-11The RecordCatalin Cimpanu
@online{cimpanu:20210511:osiris:c21f10f, author = {Catalin Cimpanu}, title = {{Osiris banking trojan shuts down as new Ares variant emerges}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/}, language = {English}, urldate = {2021-05-13} } Osiris banking trojan shuts down as new Ares variant emerges
Kronos
2021-03-30ZscalerBrett Stone-Gross
@online{stonegross:20210330:ares:6bae793, author = {Brett Stone-Gross}, title = {{Ares Malware: The Grandson of the Kronos Banking Trojan}}, date = {2021-03-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan}, language = {English}, urldate = {2021-03-31} } Ares Malware: The Grandson of the Kronos Banking Trojan
Ares Kronos
2021-02-08MorphisecMichael Dereviashkin
@online{dereviashkin:20210208:long:d1419a2, author = {Michael Dereviashkin}, title = {{Long Live, Osiris; Banking Trojan Targets German IP Addresses}}, date = {2021-02-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses}, language = {English}, urldate = {2021-02-09} } Long Live, Osiris; Banking Trojan Targets German IP Addresses
Kronos
2020-08-14Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } Tweet on Osiris
Kronos
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2019-10-29Dissecting MalwareMarius Genheimer
@online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } Osiris, the god of afterlife...and banking malware?!
Kronos
2019-04-19ZDNetCatalin Cimpanu
@online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } Security researcher MalwareTech pleads guilty
Kronos
2018-07-24ProofpointProofpoint Staff
@online{staff:20180724:kronos:ad537ce, author = {Proofpoint Staff}, title = {{Kronos Reborn}}, date = {2018-07-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-reborn}, language = {English}, urldate = {2019-12-20} } Kronos Reborn
Kronos
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-08-29MalwarebytesMalwarebytes Labs
@online{labs:20170829:inside:a4e7a99, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 2}}, date = {2017-08-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/}, language = {English}, urldate = {2019-12-20} } Inside the Kronos malware – part 2
Kronos
2017-08-18MalwarebytesMalwarebytes Labs
@online{labs:20170818:inside:f145bae, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 1}}, date = {2017-08-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/}, language = {English}, urldate = {2019-12-20} } Inside the Kronos malware – part 1
Kronos
2016-11-15ProofpointProofpoint Staff
@online{staff:20161115:kronos:6580667, author = {Proofpoint Staff}, title = {{Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware}}, date = {2016-11-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware}, language = {English}, urldate = {2019-12-20} } Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware
Kronos ScanPOS
2016-10-17MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
Yara Rules
[TLP:WHITE] win_kronos_auto (20230808 | Detects win.kronos.)
rule win_kronos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.kronos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d542450 52 03c6 50 57 ffd3 85c0 }
            // n = 7, score = 2800
            //   8d542450             | lea                 edx, [esp + 0x50]
            //   52                   | push                edx
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax

        $sequence_1 = { 813e50450000 7549 57 56 ff75fc e8???????? 8b450c }
            // n = 7, score = 2800
            //   813e50450000         | cmp                 dword ptr [esi], 0x4550
            //   7549                 | jne                 0x4b
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_2 = { e8???????? 33db 6a40 8d4628 53 50 }
            // n = 6, score = 2800
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   6a40                 | push                0x40
            //   8d4628               | lea                 eax, [esi + 0x28]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_3 = { e8???????? 85db 0f854fffffff eb1c 8d4dd0 be02000000 e8???????? }
            // n = 7, score = 2800
            //   e8????????           |                     
            //   85db                 | test                ebx, ebx
            //   0f854fffffff         | jne                 0xffffff55
            //   eb1c                 | jmp                 0x1e
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   be02000000           | mov                 esi, 2
            //   e8????????           |                     

        $sequence_4 = { 897804 8930 ff461c 6a00 }
            // n = 4, score = 2800
            //   897804               | mov                 dword ptr [eax + 4], edi
            //   8930                 | mov                 dword ptr [eax], esi
            //   ff461c               | inc                 dword ptr [esi + 0x1c]
            //   6a00                 | push                0

        $sequence_5 = { 803d????????01 56 750f 33f6 8d4df0 e8???????? 8bc6 }
            // n = 7, score = 2800
            //   803d????????01       |                     
            //   56                   | push                esi
            //   750f                 | jne                 0x11
            //   33f6                 | xor                 esi, esi
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_6 = { eb1d 8b0f e8???????? 8b0f 8b30 6a04 e8???????? }
            // n = 7, score = 2800
            //   eb1d                 | jmp                 0x1f
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   e8????????           |                     
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   6a04                 | push                4
            //   e8????????           |                     

        $sequence_7 = { 0355dc 8b45e8 2b45ec 03ca 3b450c 7356 29450c }
            // n = 7, score = 2800
            //   0355dc               | add                 edx, dword ptr [ebp - 0x24]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   2b45ec               | sub                 eax, dword ptr [ebp - 0x14]
            //   03ca                 | add                 ecx, edx
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   7356                 | jae                 0x58
            //   29450c               | sub                 dword ptr [ebp + 0xc], eax

        $sequence_8 = { c3 55 8bec 83ec5c 56 8d45a4 50 }
            // n = 7, score = 2800
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec5c               | sub                 esp, 0x5c
            //   56                   | push                esi
            //   8d45a4               | lea                 eax, [ebp - 0x5c]
            //   50                   | push                eax

        $sequence_9 = { 3b7104 7505 8b06 894104 3b7108 7506 8b5604 }
            // n = 7, score = 2800
            //   3b7104               | cmp                 esi, dword ptr [ecx + 4]
            //   7505                 | jne                 7
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   3b7108               | cmp                 esi, dword ptr [ecx + 8]
            //   7506                 | jne                 8
            //   8b5604               | mov                 edx, dword ptr [esi + 4]

    condition:
        7 of them and filesize < 1302528
}
Download all Yara Rules