Advisory Type
|
Malware Intelligence |
Malware Name
|
Osiris, Kronos |
Malware Type
|
Banking Trojan |
Target System
|
Windows |
Affected Industry
|
BFSI, Business Services, Technology, Retail, Healthcare, Higher Education, Manufacturing, |
Affected Regions
|
Germany, US, Korea, Japan, Poland |
Executive Summary
Osiris, a banking trojan, is the latest known variant of the Kronos malware. Discovered in June 2014, the Kronos malware did the rounds on a Russian dark web forum, only to stay dormant for the next couple of years. In July 2018, Kronos resurfaced dubbed as Osiris, in attack campaigns targeting Germany, Japan, and Poland. In 2020 as well another threat actor was found selling the licence to Osiris. The most recent campaign that involved Osiris, targeted customers of the German manufacturing industry. This campaign redirected its victims to questionable websites that triggered the multi-stage delivery of the Osiris trojan.
[caption id="attachment_9518" align="alignnone" width="1024"]
Threat actor sells Osiris on a Russian forum in 2018[/caption]
[caption id="attachment_9519" align="alignnone" width="1024"]
Threat actor sells Osiris license in 2020[/caption]
Technical Analysis
This malware was designed to steal banking credentials of infected victims. Its propagation has varied since its first appearance. Now Osiris is delivered via:
- Spear-phishing email campaigns, where the malicious documents contain macros responsible for downloading the Osiris trojan.
- Compromised website that hosts malicious fileless malware, responsible for downloading the trojan.
The main feature of Osiris trojan is its encrypted Tor-based communication with the Command and Control server (C2), which allows it to prevent detection. The latest version of the malware had new, additional features such as:
- Support Windows versions Vista / 7 / 8 / 8.1 / 10
- Tor Connection
- Formgrabber POST and GET requests (it will grab everything) fully supported on Internet Explorer, FireFox, Chrome, Opera and Edge all latest versions.
- WebInjections Support (Zeus style webinjects with automatic Update of injections, supported on Internet Explorer, FireFox, Chrome and Edge all latest versions).
- Keylogger
- CC grabber
- Log Parser
- Download & Execute
- Bot Update
- Browser Password Recovery works on Firefox and Chrome
- SMTP Outlook 2007,2010,2013,2016 Password Recovery
- AntVMware, AntiSandbox, AntiDebug Support
- Normal VNC
- Socks5 Support
- Hidden VNC (HVNC)
- Hidden Teamviewer + File Manager of Teamviewer fully Supported
Impact
Technical Impact
- Disrupting operating system processes, as the Osiris trojan is injected into one of the running processes on the infected machine.
- Data leak
- Anonymous connection with the Command and Control server of the attacker
Business Impact
- Privacy violation
- Financial data leak and loss
- Brand and reputation loss
Mitigation
- Use up-to-date browsers and plugins, and keep updated with latest patches.
- Apply web-based component restrictions such blocking automatic attachment download, blocking javascript, and restricting browser extensions.
- Use Antivirus/ Antimalware softwares on the system.
- Use Network Intrusion Prevention tools with latest signatures.
- Spread awareness through regular training programs focused on phishing attacks.
Tactics, Techniques and Procedures
Tactics
|
Techniques
|
Initial Access
|
T1189 |
Drive-by Compromise |
T1566.001 |
Spear Phishing Attachment |
Privilege Escalation
|
T1055.001 |
Dynamic-link Library Injection |
T1055.012 |
Process Hollowing |
Defense Evasion
|
T1112 |
Modify Registry |
T1497 |
Virtualization/Sandbox Evasion |
Discovery
|
T1497 |
Virtualization/Sandbox Evasion |
Collection
|
T1056.001 |
Keylogging |
T1185 |
Man in the Browser |
Command and Control
|
T1573 |
Encrypted Channel |
T1090.003 |
Multi-hop Proxy |
Indicators of Compromise
FileHash
|
af6cc661c03857f4cbf6c325ebe27743 |
e1afd2e8f7dd3ce55d8794f1e7e396fe |
b4cd27f2b37665f51eb9fe685ec1d373 |
2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f |
63c62d6086a6cf2fcbb22a16c06eb0bc870cdb2f0bb029390d3bc815c06a6c6b |
72c5eeb8807a4576340485377cacc582a3ca651c4632db06903c125be6692968 |
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
ec936b6bb7497ffb11577c14a9ab2860ec1dd705dc18225bbdab5bf57804bdbc |
Domain
|
ylnfkeznzg7o4xjf[.]onion |
URL
|
hxxp://ylnfkeznzg7o4xjf.onion/kpanel/connect[.]php |