Kronos (Malware Family)

Kronos

aka: Osiris

VTCollection URLhaus

Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.

References

2022-10-31 ⋅ paloalto Netoworks: Unit42 ⋅ Or Chechik
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-02-08 ⋅ Intel 471 ⋅ Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar

2021-05-11 ⋅ The Record ⋅ Catalin Cimpanu
Osiris banking trojan shuts down as new Ares variant emerges
Kronos

2021-03-30 ⋅ Zscaler ⋅ Brett Stone-Gross
Ares Malware: The Grandson of the Kronos Banking Trojan
Ares Kronos

2021-02-08 ⋅ Morphisec ⋅ Michael Dereviashkin
Long Live, Osiris; Banking Trojan Targets German IP Addresses
Kronos

2020-08-14 ⋅ Twitter (@3xp0rtblog) ⋅ 3xp0rt
Tweet on Osiris
Kronos

2020-08-09 ⋅ F5 Labs ⋅ Debbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus

2019-10-29 ⋅ Dissecting Malware ⋅ Marius Genheimer
Osiris, the god of afterlife...and banking malware?!
Kronos

2019-04-19 ⋅ ZDNet ⋅ Catalin Cimpanu
Security researcher MalwareTech pleads guilty
Kronos

2018-07-24 ⋅ Proofpoint ⋅ Proofpoint Staff
Kronos Reborn
Kronos

2017-12-11 ⋅ Group-IB ⋅ Group-IB
MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter

2017-08-29 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Inside the Kronos malware – part 2
Kronos

2017-08-18 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Inside the Kronos malware – part 1
Kronos

2016-11-15 ⋅ Proofpoint ⋅ Proofpoint Staff
Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware
Kronos ScanPOS

2016-10-17 ⋅ Malwarebytes ⋅ Jérôme Segura
New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader

2015-12-01 ⋅ Trend Micro ⋅ Erika Mendoza, Jay Yaneza
Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings

Yara Rules

[TLP:WHITE] win_kronos_auto (20241030 | Detects win.kronos.)

rule win_kronos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.kronos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb706 8bd8 81e300f00000 81fb00300000 750e 8b5d08 }
            // n = 6, score = 2800
            //   0fb706               | movzx               eax, word ptr [esi]
            //   8bd8                 | mov                 ebx, eax
            //   81e300f00000         | and                 ebx, 0xf000
            //   81fb00300000         | cmp                 ebx, 0x3000
            //   750e                 | jne                 0x10
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]

        $sequence_1 = { 0fb70c46 66ff444da4 8d4c4da4 40 }
            // n = 4, score = 2800
            //   0fb70c46             | movzx               ecx, word ptr [esi + eax*2]
            //   66ff444da4           | inc                 word ptr [ebp + ecx*2 - 0x5c]
            //   8d4c4da4             | lea                 ecx, [ebp + ecx*2 - 0x5c]
            //   40                   | inc                 eax

        $sequence_2 = { 0fb709 66394808 7417 8b00 }
            // n = 4, score = 2800
            //   0fb709               | movzx               ecx, word ptr [ecx]
            //   66394808             | cmp                 word ptr [eax + 8], cx
            //   7417                 | je                  0x19
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_3 = { 50 8d85d8fdffff 50 e8???????? 59 59 a3???????? }
            // n = 7, score = 2800
            //   50                   | push                eax
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   a3????????           |                     

        $sequence_4 = { 33db 897dfc 897df8 897df0 897df4 397d08 0f84a7000000 }
            // n = 7, score = 2800
            //   33db                 | xor                 ebx, ebx
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   397d08               | cmp                 dword ptr [ebp + 8], edi
            //   0f84a7000000         | je                  0xad

        $sequence_5 = { 33db 8d443818 663b4f06 0f8395000000 56 }
            // n = 5, score = 2800
            //   33db                 | xor                 ebx, ebx
            //   8d443818             | lea                 eax, [eax + edi + 0x18]
            //   663b4f06             | cmp                 cx, word ptr [edi + 6]
            //   0f8395000000         | jae                 0x9b
            //   56                   | push                esi

        $sequence_6 = { 0fb70c51 8b3488 8d45e0 50 }
            // n = 4, score = 2800
            //   0fb70c51             | movzx               ecx, word ptr [ecx + edx*2]
            //   8b3488               | mov                 esi, dword ptr [eax + ecx*4]
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax

        $sequence_7 = { 50 8d85d8fdffff 6803010000 50 e8???????? 83c418 }
            // n = 6, score = 2800
            //   50                   | push                eax
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]
            //   6803010000           | push                0x103
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

    condition:
        7 of them and filesize < 1302528
}

Download all Yara Rules

Kronos Propose Change

References

Yara Rules

Kronos