After staying dormant for few years, the Kronos banking trojan resurfaced in July in a form dubbed Osiris. A wider analysis of how the banking trojan is evolving shows innovative development on the part of its authors, with an eye to broader malware trends.
Osiris first appeared in July in three distinct campaigns targeting Germany, Japan and Poland over the summer. It was clear that it’s based off of the Kronos malware which led the financial crime pack for many quarters after it surfaced in 2014 (it is itself a descendant of the infamous Zeus banking code).
While the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.
For one, it uses encrypted Tor traffic for command-and-control (C2). “The malicious payload spawns multiple processes named ‘tor.exe’ and connects to multiple distinct host (Tor nodes) located in different countries,” Kolesnikov said in a post Tuesday on Osiris.
Also, Osiris has upped the game on evasion efforts. As Kolesnikov explained in an interview with Threatpost, “One of the new aspects of Osiris that are particularly notable is a fairly innovative legitimate process impersonation technique.” He added that this evasion technique involves a combination of a recently pioneered process-doppelganging approach, combined with the more traditional process-hollowing technique.
“This can potentially make detection of the banking trojan’s activity using purely endpoint tools more challenging compared to tools that are capable of looking at the behaviors of other entities besides endpoints…[such as] network and user information,” he said.
The Attack Pattern
The primary infiltration vector that has so far been seen in the wild for Osiris is spam email. These contain specially crafted Microsoft Word documents/RTF attachments with macro/OLE content that cause malicious obfuscated VB stages to be dropped and executed. In many scenarios, the malware is distributed using exploit kits like RIG EK, the analysis showed.
The malicious document exploits a well-known buffer overflow vulnerability in Microsoft Office Equation Editor Component (CVE-2017-11882) which allows the attacker to perform arbitrary code-execution.
“The vulnerability resides in the Equation Editor Component which, when used, runs as its own process (eqnedt32.exe),” Kolesnikov explained. “Because of the way it was implemented, it doesn’t support Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). A malicious document exploits the vulnerability to execute a command to download the latest version of [Osiris].”
Osiris, like other banking trojans, is mainly aimed at stealing credentials and other sensitive data, from online banking accounts and so on. The primary method of collection is through a man-in-browser attack to web-inject malicious script into banking websites and grabbing form values.
A Thoroughly Modern Malware
Notably, Osiris’ fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.
“Based on the banking attacks we are seeing in the wild, there appears to be a growing trend towards a convergence of malicious features offered by many trojans,” Kolesnikov told Threatpost. “For instance, it is quite common to see the same baseline set of features offered in many prevalent bank trojans, such as form-grabbing, sandbox and AV bypass, web injections, password recovery, keylogging and remote access.”
He added that the latest version of Osiris also fits into a trend of malware adopting a more modular architecture in general; this enables malicious actors to provide updates and plugins to implement various malicious behaviors after an initial infection.
This dovetails with “a growing trend for more rapid malware prototyping and a decrease in the ‘research-to-malware’ time it for malicious threat actors to implement the latest attack and evasion techniques reported in the security community,” he added.
Unfortunately, Osiris is poised to become more widespread, given that its pricing on the Dark Web lowers the barrier-to-entry for bad actors.
“Another aspect is that Osiris is relatively cheaper compared to Kronos, which was sold for $3,000 in 2014, compared to Osiris that is sold for $2,000 in 2018, making it potentially more accessible to more cybercriminals,” Kolesnikov told us. “Also, Osiris authors offered an option of reselling the license for $1,000 (not offered for Kronos), which can potentially further increase the scale and impact of the malicious threat.”