Researchers have identified a variant of the Kronos banking trojan dubbed Osiris Trojan. Kronos first surfaced in 2014 while samples of the variant were first seen in April of this year. In late June, Osiris was seen being delivered via malspam and exploit kits in three campaigns along with a test run. The campaigns targeted users of Japanese, Polish, and German banks. The two trojans share similarities such as using the same string encryption technique, the same Windows API hashing technique and hashes, the same C&C encryption mechanism, the same C&C protocol and encryption, and the same webinject format. The two are also very close to the same size with Kronos being 351 KB and Osiris being 350 KB. Although they are similar, the two trojans are not identical. The main difference between the two is that the 2018 edition uses Tor-hosted C&C control panels. It is unclear who the author of the variant is, however their primary goal is to gain dirty money.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased