New variant of Kronos banking trojan spotted using Tor network


WannaCry ransomware hero is facing charges in the United States for developing Kronos banking trojan.

In August 2017, Marcus Hutchins (@MalwareTechBlog on Twitter) aka WannaCry ransomware hero was arrested in the United States by the FBI and charged with playing a vital role in the development of Kronos banking Trojan.

He is still in the States facing Federal offenses however now a new variant of Kronos has been identified.

Kronos Banking Trojan Campaigns

The first campaign observed on June 27, 2018, targeting German users with malicious Word documents contained macro posing it to be from German financial institutions.

Kronos Banking Trojan

The second campaign on July 13, 2018, targeting Japan users, the malvertising campaign sends victims to the page contains malicious javascript, which redirects the users to download the malware.

The third campaign observed on July 15, 2018, targeting Poland users with malicious Word documents with the fake invoices, such as “Faktura 2018.07.16” and the document uses Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) to download and execute Kronos.

Research spotted the fourth campaign On July 20, 2018, appeared to be a work in progress and still in the testing phase.

Dark web-based C&C

According to researchers, cybercriminals behind the trojan have rebranded it to “Osiris” and currently selling it on different underground marketplaces. The core difference that researchers noticed between Kronos and Osiris is its command and control (C&C) mechanism which has been refactored to use the Tor network.

New variant of Kronos banking trojan spotted using Tor network

This screenshot shows ad listing of the Osiris banking Trojan (Image credit: Proofpoint)


Between June 27th to June 30th, researchers discovered an email campaign using malware-infected Word documents targeting users in Germany. In their campaign, cybercriminals were using spoofed emails addresses and pretending to represent German financial companies informing users about updating their terms and conditions related to the General Data Protection Regulation (GDPR).

The document contained malicious macros which once clicked would drop Kronos. In total, the email campaign targeted five Germany financial companies. In the last couple of months, users around the world received tons of GDPR related emails, therefore, it is not surprising that cybercriminals used the regulation to trick users.

In a similar campaign, last month, cybercriminal used GDPR to blackmail companies and threaten to publish the entire content of the database, containing personal data records, on a public server, that according to the regulation, means that the company will be severely fined.


In Poland, researchers found similar email campaigns containing fake invoice files targeting users from July 15th to 16th. This campaign used Equation Edior exploit to drop Kronos on victim’s device. It must be noted that in January 2018, Microsoft addressed the vulnerability and also issued its patch. Therefore, applying patches can protect users against Kronos trojan.


On July 13th, 13 financial institutions in Japan were hit by a malvertising campaign in which cybercriminals used Smoke Bot or Smoke Loader to drop Kronos trojan. According to researchers, the same campaign was previously used to download Zeus Panda malware.

New attack

On July 20th, Proofpoint researchers spotted a new campaign infecting computers with Kronos trojan. In this campaign, cybercriminals are running a website claiming to provide a download file for Stream EYE music player. Once the user clicks on the “GET IT NOW” button it drops Kronos download file on the system.

Image credit: Proofpoint

“Kronos uses man-in-the-browser techniques along with web inject rules to modify the web pages of financial institutions, facilitating the theft of user credentials, account information, other user information, and money through fraudulent transactions. It also has keylogging and hidden VNC functionality to help with its “banker” activities,” explained Proofpoint researchers.

MalwareTech’s response

As mentioned before, Marcus Hutchins is facing charges for allegedly creating Kronos banking Trojan. Hutchins is the same security researcher who halted the spread of WannaCry ransomware and got the nickname of WannaCry hero. In response to Proofpoint’s findings, Hutchins tweeted about the new variant of Kronos and said that “I’m still on trial for writing Kronos, meanwhile the real author is still updating the code.”

New variant of Kronos banking trojan spotted using Tor network

To protect yourself from Kronos and other banking malware make sure never to download files from unknown emails, never click links received from anonymous senders, keep your system updated and run anti-virus scan regularly.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.