KINS Banking Trojan a Successor to Citadel?

A new strain of banking malware called KINS has been discovered for sale on a closed Russian underground forum.

It seems the cybercrime underground is pining for a new breed of banking Trojan.

With heavyweights such as Citadel no longer generally available for purchase, rumblings on forums for months have indicated that a new project would be welcomed and financed.

Since February, researchers at RSA’s FraudAction Research Lab have been watching conversations about a possible new Trojan called KINS, one that could fit the criteria potential financiers have been looking for: it’s available for purchase; easy to use; and comes with technical support.

Recently, a note on a closed Russian-language underground forum advertised that KINS was available for purchase. A description of the malware indicates many similarities to predecessors such as Zeus, SpyEye and Citadel, yet the author says this is not a modification of any other malware.

“Underground chatter increasingly reflects the growing appetite for new, ‘real’ banking malware in the online fraud arena, featuring discussions by criminals who would eagerly welcome a new developer and jointly finance a banker project if one would only make sense to them,” said Limor Kessem of FraudAction.

Initially, KINS was being closely linked to the Citadel source code and the hunt was on for its developer. But those conversations quickly died out, Kessem said, because potential purchasers did not want to be shot down when it came time to buy the malware. Now that KINS is out in the open, it could be the successor to Citadel, et al.

“Beyond being advertised on the most exclusive venues where all other major Trojans were introduced in the past, KINS appears already to be a familiar name in the underground, its developer is responsive and further offers technical support to new customers, which has become a strong selling point for any malware vendor,” Kessem said.

The KINS author is being opportunistic in recognizing a gap in the market for new malware. Kessem said his malware is likely to be in demand and once he has peer validation, adoption could rise quickly.

According to the advertisement, KINS consists of a dropper and DLLs, and the standard version sells for $5,000 paid out via WebMoney. Additional modules, such as a plug-in that thwarts detection by a particular security software, are also available for up to $2,000. The ad also promises the availability of a Remote Desktop Protocol module that will allow botmasters to remotely access compromised machines. The malware attacks a compromised machine’s volume boot record, giving it machine-level access to victims.

The ad also touts the malware’s simplicity and security.

“There is no need for special skills for the installation of this Trojan, nor is any special knowledge needed for the use of the bot,” the ad says, adding that the malware supports Windows 8 and that all Russian countries are blocked.

Kessem points out that the KINS architecture is similar to Zeus and SpyEye and has numerous features that are also found in SpyEye, including compatibility with Zeus Web injections.

“KINS’ developer seems to be a loyal disciple of his predecessors, taking their best practices and applying it to his Trojan,” Kessem said.

“With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality,” Kessem said. “As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future.”

Suggested articles