July 14, 2014, 2:33 PM — A new Trojan program designed to steal log-in credentials and other financial information from online banking websites is being advertised to cybercriminal groups on the underground market.
The new malware is called Kronos, and based on a recent ad seen in a Russian cybercriminal forum it can steal credentials from browsing sessions in Internet Explorer, Mozilla Firefox and Google Chrome by using form-grabbing and HTML content injection techniques, said Etay Maor, a senior fraud prevention strategist at IBM subsidiary Trusteer, Friday in a blog post.
According to the ad, the new threat is compatible with content-injection scripts -- also known as Web injects -- developed for Zeus, a popular online banking Trojan that's no longer in development. This design decision is intended to allow cybercriminals who still use Zeus variants in their operations to easily switch to Kronos.
In addition to the information-theft capabilities, the new Trojan has a user-mode rootkit component for 32-bit and 64-bit Windows systems that can protect its processes from competing malware. Its creator also claims that Kronos can evade antivirus detection and sandbox environments typically used for malware analysis.
The new cybercriminal tool is being advertised for $7,000, a price that includes the promise of continued development, free upgrades and bug fixes.
"Most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks," Maor said. "It remains to be seen how popular Kronos will be within the cyber crime community," he said.
The premium price suggests that Kronos is aimed to be a replacement for former commercial crimeware toolkits like Zeus, Carberp and SpyEye, whose development has been discontinued or whose source code has been leaked in recent years.
According to researchers from Kaspersky Lab, who have also seen the Kronos advertisements on several underground forums last week, the new online banking threat appears to be based on the source code of Carberp.
The screen shots posted by Kronos' author demonstrate fragments of code injected into other processes and the code looks pretty similar to Carberp's, said Dmitry Tarakanov, senior security researcher at Kaspersky Lab, Monday via email.
Carberp has also been sold to cybercriminals in the past at a premium price, but the malware's source code was leaked online last year, possibly after internal disputes between its creators.
Trusteer and Kaspersky Lab have yet to obtain a sample of Kronos for analysis.