Kronos malware: What is the banking Trojan linked to Marcus Hutchins?

Victoria Woollaston August 4, 2017

The earliest mentions of the Kronos malware date back to 2014 but the banking Trojan has entered the mainstream following the arrest of Marcus Hutchins.

Hutchins, who was thrust into the spotlight when he “accidentally” stopped the WannaCry virus in May, is said to have been charged by the FBI following a two-year cybercrime investigation. In particular, Hutchins is accused of selling and maintaining Kronos malware from his home in Devon, UK with an unnamed accomplice. Court filings suggest there are six indictments that relate to this supposed crime.

Kronos malware

What is the Kronos banking Trojan?

Kronos was spotted for sale on a Russian cybercrime forum in 2014 for a staggering $7,000. This price piqued the interest of many security researchers because malware is typically sold for hundreds, not thousands, of dollars. Regular malware is also commonly offered for free or distributed via malware source code leaks. For this $7,000 price, the hacker was offering free upgrades as well as bug fixes.

According to the ad, Kronos was designed to run on similar so-called “injects” to those seen in the Zeus banking Trojan. Zeus is one of the most well-known Trojans and was first spotted in 2007 before later being taken offline.

What is a Trojan?

A Trojan is a form of malware that masquerades as a benign application. Its strength lies in tricking victims into downloading and running malicious code via dodgy attachments on emails, for example.

The name, like many security-related software, comes from mythology. Specifically, Trojan viruses are named after the Trojan horse which brought about the end of the Trojan war in which soldiers hid inside a large wooden horse and attacked the Greeks. In security terms, the Trojan virus remains hidden in an app or attachment until it’s ready to attack the infected computer.

In addition to email attachments, Trojans are often bundled with legitimate software or bookmark bars downloaded online. The original software works as it should, to avoid suspicion, while the Trojan uses it to wreak havoc on the victim’s PC. Once installed, a Trojan can be used by hackers to install other malicious software, steal usernames and passwords, log keystrokes and much more.

How does the Kronos malware spread?

static1

Kronos’ behaviour is typical of a banking Trojan. In November 2016, security researchers at Proofpoint spotted several large email campaigns sending tens of thousands of messages, targeting various industries, from universities to banks and hospitals.

These campaigns were sent globally, but primarily targeted the UK and North America. The Kronos malware was sent via attachments that looked legitimate. If an email recipient clicked on the attachment, the Trojan infected their machine.

The original ad seen on the Russian forum in 2014 revealed that Kronos can steal credentials from browsing sessions in Internet Explorer, Firefox and Chrome using so-called “form-grabbing” and HTML content injection techniques. Form-grabbing is a more sophisticated alternative to keylogging. Keylogging targets keystrokes, which can often miss sensitive data that a user may paste into a form or select from a dropdown menu, rather than typing. By comparison, form grabbers capture all form data before it’s sent. What’s more, Kronos was engineered to be compatible with the “web injects” developed for Zeus. This was said to have been deliberate, to make it possible for hackers to easily transition from Zeus to using Kronos.

As well as being able to steal information, the Kronos malware was found to contain what’s known as a “user-mode rootkit” that runs on both 32-bit and 64-bit Windows systems and which helps the Kronos malware protect itself against rival malware, as well as stay out of sight of antivirus software.

Image: Kaspersky/Proofpoint