Kerwin's Blog

WCB#5- Re-emergence of Kronos Malware

WCB#5- Re-emergence of Kronos Malware

Kerwin's photo
Kerwin
·

5 min read

Weekly Recap

Another busy week in the world of cyber. From determining the culprits of a well-known crypto hack to the revival of notorious malware, the stories have been captivating. Below is a list of some of the high-profile events for this past week:

  • The Lazarus Group was found to be the threat actors that coordinated the 100m hack on Harmony bridge. Harmony, a blockchain-based platform, had their assets stolen due to vulnerabilities found in Harmony's Horizon Ethereum bridge. The FBI was able to determine it was the Lazarus group when the group attempted to move approximately 60 million dollars via a protocol called RAILGUN. More on this story can be viewed here.

  • Threat actors deployed ransomware to steal data from Yum Brands. Yum Brands is a conglomerate of popular fast-food restaurants such as Taco Bell and KFC. The attack was focused on the United Kingdom-based branches and the threat actors have not been identified. The cause of the attack has not been determined but one could guess that the employee's credentials were obtained by way of a social engineering attack. More on this story can be found here.

  • Threat actors have begun to use Sliver as an alternative to C2 frameworks. Sliver is a Golang-based cross-platform post-exploitation framework created for red team-based activities such as penetration testing. It offers threat actors features such as process injection and dynamic code generation. More on this can be found here.

For this week's story, I chose to discuss the re-emergence of the infamous Kronos malware.

Background of Kronos

Before discussing Kronos, you must understand what malware is. According to Cisco, malware is intrusive software that is designed to damage and destroy computers and computer systems. Malware simply means malicious software. This malicious software can be spyware, ransomware, trojan viruses and more. More on this can be found here. In this case, Kronos is a trojan-based virus and it disguises itself as authorized software to gain entry into a variety of systems. With this newfound knowledge, let's briefly discuss the history of Kronos.

Kronos was allegedly developed in 2011 from leaked source code from Zeus Malware. Similar to Zeus, Kronos was a niched malware used in the banking industry to steal banking login credentials. This was done using techniques such as web injections and key logins. It continued to be developed from this point and had different eras of attack. In 2015, it focused its attacks on British banks. Two years later, a British security researcher by the name of Marcus Hutchinson, was arrested in the U.S. for his involvement in developing Kronos and the predecessor of Kronos, UPAS kit, from 2011 to 2015. In 2018 after a hiatus, it became active once again and used the moniker "Osiris" to carry out banking-based trojan attacks. Presently, it has set its sights on the banking system of Mexico but this time, the trojan-based malware has combined with another type of malware called ransomware.

Summary of Attack

According to Security Intelligence, Kronos last year attacked its first victim using a malicious chrome extension with web injects which was unheard of among financial institutions. The findings of the attack were revealed this past week. The method of attack consists of using configuration files to view pages in a user's web browsing history, injecting malicious JavaScript payload to steal a user's information and using a command and control (C&C) server to transfer the information to the attacker. The attacker then uses a C&C panel to view sensitive information such as login credentials and view the victim's activity.

More detail on the attack can be found here.

Why I found this story interesting

Malware of any form is always a concern for the end user. Malware specifically designed for banking and financial institutions, however, should be handled with the utmost caution one can provide. Kronos malware is interesting to me because it has been able to remain relevant for this long in the game and still causes major issues to various banking systems across the globe. This shows that those reinventing Kronos at each iteration are always one step ahead of their prey. Another interesting fact about Kronos is that it was allegedly created from the leaked source code of the Zeus malware. Zeus malware was dubbed as one of the "OG's" of banking-based malware and during its era from 2007-2011, the malware infiltrated millions of systems and stole billions of dollars. Zeus was a trojan-based malware which means it was malware that disguised itself as legitimate code to gain entry into the system. Once in a system, however, the threat actor can introduce other forms of malware to achieve their goal. Kronos acts in the same manner but this latest version of Kronos acts differently.

Possible Implications of this reemergence

  • Loss of revenue

  • Loss of trust

  • Sensitive Data Exposure

Solutions on how to defend against Kronos

  • Implement antivirus software

  • Implement the latest software updates.

  • Frequently update and patch systems.

  • Heightened security awareness & training

Conclusion

With Kronos back on the scene with a vengeance, banking institutions should be concerned. The malware is notorious for causing harm to the institutions and by extension, everyday citizens that use these respective banks. All is not lost, however, as there are proven methods to avoid the loss of sensitive data. Some of these methods include increasing security awareness and training for both employees and end users, conducting consistent software updates and patches to systems, and implementing antivirus software.

Resources

Threat actors turn to sliver as open source alternative to popular C2 frameworks. The Hacker News. (2023, January 24). Retrieved January 29, 2023, from https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html

Quarmby, B. (2023, January 24). North Korea's Lazarus Group masterminded $100m Harmony Hack: FBI confirms. Cointelegraph. Retrieved January 29, 2023, from https://cointelegraph.com/news/north-korea-s-lazarus-group-masterminded-100m-harmony-hack-fbi-confirms

Kronos malware reemerges with increased functionality. Security Intelligence. (2023, January 25). Retrieved January 29, 2023, from https://securityintelligence.com/kronos-malware-reemerges-increased-functionality/

Toulas, B. (2023, January 19). Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut Brand Owner. BleepingComputer. Retrieved January 29, 2023, from https://www.bleepingcomputer.com/news/security/ransomware-gang-steals-data-from-kfc-taco-bell-and-pizza-hut-brand-owner/

Cisco. (2022, June 6). What is malware? - definition and examples. Cisco. Retrieved January 29, 2023, from https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html

Labs, M., & ABOUT THE AUTHOR Malwarebytes Labs. (n.d.). The life and death of the zeus trojan. Malwarebytes. Retrieved January 29, 2023, from https://www.malwarebytes.com/blog/news/2021/07/the-life-and-death-of-the-zeus-trojan

securityawareness#cybersecurityMalwaresoftwarehacking