New Banking Malware, “Kronos,” Headed Your Way

Time to clutch your digital wallet just a little more tightly.

According to CSO Online’s Lucian Constantin, a new piece of Malware, branded “Kronos” by its creators, is being advertised on your favorite Russian cyber-criminal forums. According to Constantin, Kronos steals credentials from Internet Explorer, Mozilla Firefox and Google Chrome browsing sessions through form-grabbing and HTML content injection techniques.

The latter set of techniques, also referred to as Web injects, were developed for “Zeus,” the last trojan aimed at stealing your credentials. Constantin believes they were included in order to ease cyber-criminals’ transition from Zeus to the more capable Kronos.

Additionally, the software package contains “a user-mode rootkit component for 32-bit and 64-bit Windows systems that can protect its processes from competing malware. Its creator also claims that Kronos can evade antivirus detection and sandbox environments typically used for malware analysis.”

There is one piece of “good” news related to this new threat however: the asking price for Kronos. Etay Maor, a senior fraud prevention strategist at IBM subsidiary Trusteer, says that “most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks.”

Compare this with Kronos, as conveyed by Constantin:

The new cybercriminal tool is being advertised for $7,000, a price that includes the promise of continued development, free upgrades and bug fixes.

He continues:

The premium price suggests that Kronos is aimed to be a replacement for former commercial crimeware toolkits like Zeus, Carberp and SpyEye, whose development has been discontinued or whose source code has been leaked in recent years.

In fact, because of the similarity of the coding, Kaspersky Labs believes that Kronos is based off of the formerly premium-priced Carberp, which had its source code leaked online last year. The high price could deter many petty, low-level cyber-criminals from taking up the new tool. The flip side is that the ones with the bucks to make the investment in Kronos are likely to be the already successful, and thus savvier criminal elements.

While the creators of the new trojan may somewhat exaggerate the capability of their new product (then again, who doesn’t?), it’s definitely better for business owners and consumers to be safe rather than sorry. It’s best to prepare yourself if your business relies on customers logging into online portals. Talk with your current Identity and Access Management provider if you have one about options for dealing with Kronos. If you don’t yet have an IAM solutions provider, well, we can help you there too.

I think Constantin ends on the right note when he quotes Kaspersky Lab’s Dmitry Tarakanov in regards to what drives the continued creation of these trojans:

“The cybercriminal underground is a market. Source code leakages and botnet shutdowns have been happening constantly but we see virus writers from time to time come up with new (or based on old but modified) banking malware. It proves that the market wants such tools.”

Long story short: cyber-criminals want your money, and demand the tools to get at it. Make sure you have the tools to fight back.

For Lucian Constantin’s piece at CSO Online, click here.