13 September 18, 15:47
(This post was last modified: 13 September 18, 15:58 by silversurfer.)
Quote:Osiris’ fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.
After staying dormant for few years, the Kronos banking trojan resurfaced in July in a form dubbed Osiris. A wider analysis of how the banking trojan is evolving shows innovative development on the part of its authors, with an eye to broader malware trends.
Osiris first appeared in July in three distinct campaigns targeting Germany, Japan and Poland over the summer. It was clear that it’s based off of the Kronos malware which led the financial crime pack for many quarters after it surfaced in 2014 (it is itself a descendant of the infamous Zeus banking code).
While the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.
For one, it uses encrypted Tor traffic for command-and-control (C2). “The malicious payload spawns multiple processes named ‘tor.exe’ and connects to multiple distinct host (Tor nodes) located in different countries,” Kolesnikov said in a post Tuesday on Osiris.
Source: https://threatpost.com/osiris-banking-tr...on/137393/