SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kronos (Back to overview)

Kronos

aka: Osiris
URLhaus    

Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.

References
2022-10-31paloalto Netoworks: Unit42Or Chechik
@online{chechik:20221031:banking:c421ac8, author = {Or Chechik}, title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}}, date = {2022-10-31}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/}, language = {English}, urldate = {2022-10-31} } Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220727:gootkit:f1c63fa, author = {Buddy Tancio and Jed Valderama}, title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}}, date = {2022-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html}, language = {English}, urldate = {2022-07-29} } Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2021-05-11The RecordCatalin Cimpanu
@online{cimpanu:20210511:osiris:c21f10f, author = {Catalin Cimpanu}, title = {{Osiris banking trojan shuts down as new Ares variant emerges}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/}, language = {English}, urldate = {2021-05-13} } Osiris banking trojan shuts down as new Ares variant emerges
Kronos
2021-03-30ZscalerBrett Stone-Gross
@online{stonegross:20210330:ares:6bae793, author = {Brett Stone-Gross}, title = {{Ares Malware: The Grandson of the Kronos Banking Trojan}}, date = {2021-03-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan}, language = {English}, urldate = {2021-03-31} } Ares Malware: The Grandson of the Kronos Banking Trojan
Ares Kronos
2021-02-08MorphisecMichael Dereviashkin
@online{dereviashkin:20210208:long:d1419a2, author = {Michael Dereviashkin}, title = {{Long Live, Osiris; Banking Trojan Targets German IP Addresses}}, date = {2021-02-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses}, language = {English}, urldate = {2021-02-09} } Long Live, Osiris; Banking Trojan Targets German IP Addresses
Kronos
2020-08-14Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } Tweet on Osiris
Kronos
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2019-10-29Dissecting MalwareMarius Genheimer
@online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } Osiris, the god of afterlife...and banking malware?!
Kronos
2019-04-19ZDNetCatalin Cimpanu
@online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } Security researcher MalwareTech pleads guilty
Kronos
2018-07-24ProofpointProofpoint Staff
@online{staff:20180724:kronos:ad537ce, author = {Proofpoint Staff}, title = {{Kronos Reborn}}, date = {2018-07-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-reborn}, language = {English}, urldate = {2019-12-20} } Kronos Reborn
Kronos
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-08-29MalwarebytesMalwarebytes Labs
@online{labs:20170829:inside:a4e7a99, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 2}}, date = {2017-08-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/}, language = {English}, urldate = {2019-12-20} } Inside the Kronos malware – part 2
Kronos
2017-08-18MalwarebytesMalwarebytes Labs
@online{labs:20170818:inside:f145bae, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 1}}, date = {2017-08-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/}, language = {English}, urldate = {2019-12-20} } Inside the Kronos malware – part 1
Kronos
2016-11-15ProofpointProofpoint Staff
@online{staff:20161115:kronos:6580667, author = {Proofpoint Staff}, title = {{Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware}}, date = {2016-11-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware}, language = {English}, urldate = {2019-12-20} } Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware
Kronos ScanPOS
2016-10-17MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
Yara Rules
[TLP:WHITE] win_kronos_auto (20230407 | Detects win.kronos.)
rule win_kronos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.kronos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7704 85f6 744e 53 8d642400 8b4604 85c0 }
            // n = 7, score = 2800
            //   8b7704               | mov                 esi, dword ptr [edi + 4]
            //   85f6                 | test                esi, esi
            //   744e                 | je                  0x50
            //   53                   | push                ebx
            //   8d642400             | lea                 esp, [esp]
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   85c0                 | test                eax, eax

        $sequence_1 = { 1bc0 83d8ff 85c0 7510 85ff }
            // n = 5, score = 2800
            //   1bc0                 | sbb                 eax, eax
            //   83d8ff               | sbb                 eax, -1
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   85ff                 | test                edi, edi

        $sequence_2 = { e8???????? 8d4dd0 c6471900 33f6 e8???????? 8d4dc0 e8???????? }
            // n = 7, score = 2800
            //   e8????????           |                     
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   c6471900             | mov                 byte ptr [edi + 0x19], 0
            //   33f6                 | xor                 esi, esi
            //   e8????????           |                     
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     

        $sequence_3 = { 0fb711 6685d2 740e 6683fa5c 7408 6683fa2f 7402 }
            // n = 7, score = 2800
            //   0fb711               | movzx               edx, word ptr [ecx]
            //   6685d2               | test                dx, dx
            //   740e                 | je                  0x10
            //   6683fa5c             | cmp                 dx, 0x5c
            //   7408                 | je                  0xa
            //   6683fa2f             | cmp                 dx, 0x2f
            //   7402                 | je                  4

        $sequence_4 = { c7457401000000 85f6 7435 8d4514 50 e8???????? }
            // n = 6, score = 2800
            //   c7457401000000       | mov                 dword ptr [ebp + 0x74], 1
            //   85f6                 | test                esi, esi
            //   7435                 | je                  0x37
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 7528 53 ff15???????? ff15???????? 8b742410 8bf8 8b442414 }
            // n = 7, score = 2800
            //   7528                 | jne                 0x2a
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   8bf8                 | mov                 edi, eax
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_6 = { 83c428 85f6 752c 85c0 7528 }
            // n = 5, score = 2800
            //   83c428               | add                 esp, 0x28
            //   85f6                 | test                esi, esi
            //   752c                 | jne                 0x2e
            //   85c0                 | test                eax, eax
            //   7528                 | jne                 0x2a

        $sequence_7 = { 2b5f0c 3bd8 7202 8bd8 8b576c 85d2 }
            // n = 6, score = 2800
            //   2b5f0c               | sub                 ebx, dword ptr [edi + 0xc]
            //   3bd8                 | cmp                 ebx, eax
            //   7202                 | jb                  4
            //   8bd8                 | mov                 ebx, eax
            //   8b576c               | mov                 edx, dword ptr [edi + 0x6c]
            //   85d2                 | test                edx, edx

        $sequence_8 = { 83c404 85c0 0f95c0 84c0 7449 8d7b08 8bcf }
            // n = 7, score = 2800
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   0f95c0               | setne               al
            //   84c0                 | test                al, al
            //   7449                 | je                  0x4b
            //   8d7b08               | lea                 edi, [ebx + 8]
            //   8bcf                 | mov                 ecx, edi

        $sequence_9 = { 56 8b35???????? 8b4618 57 8d7e18 50 ff15???????? }
            // n = 7, score = 2800
            //   56                   | push                esi
            //   8b35????????         |                     
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   57                   | push                edi
            //   8d7e18               | lea                 edi, [esi + 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1302528
}
Download all Yara Rules