'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account

The $7000 malware shows there is serious money to be made in the banking Trojan market.
Written by Charlie Osborne, Contributing Writer

Kronos, also known as the "father of Zeus," is a particularly pernicious form of malware which simply will not go away.

Zeus, Gozi, and Citadel are well-known Trojans which focus their efforts on the theft of financial credentials which can be used by threat actors to compromise online bank accounts, conduct identity theft, or collect data which is later sold in credential dumps on the Dark Web.

In Greek mythology, Kronos is Zeus' father. In the world of black hat cybersecurity tools, a somewhat similar relationship appears to exist -- a connection prompted by Kronos injection files that are specifically crafted by the malware's developer to be compatible with Zeus variants.

First uncovered in Russian underground forums in 2014, Kronos comes with a premium price tag of $7000, as well as a one-week "trial" option for $1000.

The Kronos developers, in return for these payments, promise constant updates, bug fixes, and the development of new modules.

According to Securonix researchers, the malware has just received one of the promised updates.

On Tuesday, the cybersecurity firm published new research into the malware, saying that the latest Kronos variant, also known as Osiris, was discovered in July this year.


Three distinct, separate campaigns are already underway in Germany, Japan, and Poland which utilize the Trojan.

The primary infection vector is phishing campaigns and fraudulent emails, as well as exploit kits such as RIG. The malicious emails contain crafted Microsoft Word documents or RTF attachments with macros that drop and execute obfuscated VB stagers.

The documents exploit CVE-2017-11882, a buffer flow vulnerability in the Microsoft Office Equation Editor Component which was discovered back in 2017.

If a target system has not been patched, the bug permits the execution of arbitrary code.

The new malware variant also makes substantial use of Tor, with a command-and-control (C2) server hosted in the anonymizing onion router network. Kronos now connects to multiple Tor nodes that are located in various countries to communicate with the C2 server.

Some versions of the malware also support remote control through a custom LibVNCServ- er library.

See also: Cryptojacking campaign exploiting Apache Struts 2 flaw kills off the competition

Once executed on a target system, Kronos will attempt to steal data from a variety of sources. In particular, the malware will modify the Windows registry in order to allow the injection of malicious code into browsers, and so when a bank domain is visited, a man-in-browser attack is performed.

Firefox browser security settings may also be lowered.

Kronos will harvest form values from unwitting victims that check their online accounts and may also conduct further keylogging to gain legitimate bank credentials. The latest configurations for the malicious script used is downloaded periodically from the C2 server.

TechRepublic: Why passwords are a terrible method of authentication

In order to maintain persistence, Kronos may copy itself into the C: \Users\%\AppData\Roaming folder, alongside Tor executables and malicious DLLs. The malware will also write itself to startup.

The evolution of the Kronos malware is not good news for banks or consumers alike. As long as the market for valuable, financial data is strong, malware developers will continue to refine and improve their creations -- reaping the proceeds of malware purchases and subscriptions in the process.

CNET: Equifax's hack, one year later: A look back at how it happened and what's changed

In March, Webroot researchers discovered that the TrickBot Trojan had also been taught a number of new tricks, including a new file locking system found more commonly in ransomware strains.

Previous and related coverage

Editorial standards