Osiris Banking Trojan Threat Intelligence Advisory

Published 16 February 2021


  • The latest variant of Kronos malware stayed dormant till 2018, reemerged in campaigns targeting Germany, Japan, and Poland
  • The Osiris trojan was designed to steal banking credentials of infected victims

Share this Threat Intel:

Advisory Type
Malware Intelligence
Malware Name
Osiris, Kronos
Malware Type
Banking Trojan
Target System
Windows
Affected Industry
BFSI, Business Services, Technology, Retail, Healthcare, Higher Education, Manufacturing, 
Affected Regions
Germany, US, Korea, Japan, Poland

 

Executive Summary

Osiris, a banking trojan, is the latest known variant of the Kronos malware. Discovered in June 2014, the Kronos malware did the rounds on a Russian dark web forum, only to stay dormant for the next couple of years. In July 2018, Kronos resurfaced dubbed as Osiris, in attack campaigns targeting Germany, Japan, and Poland. In 2020 as well another threat actor was found selling the licence to Osiris. The most recent campaign that involved Osiris, targeted customers of the German manufacturing industry. This campaign redirected its victims to questionable websites that triggered the multi-stage delivery of the Osiris trojan. 

 

Threat actor sells Osiris on a russian forum in 2018
Threat actor sells Osiris on a Russian forum in 2018

 

Threat actor sells Osiris license in 2020
Threat actor sells Osiris license in 2020

 

Technical Analysis

This malware was designed to steal banking credentials of infected victims. Its propagation has varied since its first appearance. Now Osiris is delivered via:

  • Spear-phishing email campaigns, where the malicious documents contain macros responsible for downloading the Osiris trojan.
  • Compromised website that hosts malicious fileless malware, responsible for downloading the trojan.

The main feature of Osiris trojan is its encrypted Tor-based communication with the Command and Control server (C2), which allows it to prevent detection. The latest version of the malware had new, additional features such as:

  • Support Windows versions Vista / 7 / 8 / 8.1 / 10
  • Tor Connection
  • Formgrabber POST and GET requests (it will grab everything) fully supported on Internet Explorer, FireFox, Chrome, Opera and Edge all latest versions.
  • WebInjections Support (Zeus style webinjects with automatic Update of injections, supported on Internet Explorer, FireFox, Chrome and Edge all latest versions).
  • Keylogger
  • CC grabber
  • Log Parser
  • Download & Execute
  • Bot Update
  • Browser Password Recovery works on Firefox and Chrome
  • SMTP Outlook 2007,2010,2013,2016 Password Recovery
  • AntVMware, AntiSandbox, AntiDebug Support
  • Normal VNC
  • Socks5 Support
  • Hidden VNC (HVNC)
  • Hidden Teamviewer + File Manager of Teamviewer fully Supported

 

Impact

Technical Impact
  • Disrupting operating system processes, as the Osiris trojan is injected into one of the running processes on the infected machine.
  • Data leak
  • Anonymous connection with the Command and Control server of the attacker
Business Impact
  • Privacy violation
  • Financial data leak and loss 
  • Brand and reputation loss

 

Mitigation

  • Use up-to-date browsers and plugins, and keep updated with latest patches.
  • Apply web-based component restrictions such blocking automatic attachment download, blocking javascript, and restricting browser extensions.
  • Use Antivirus/ Antimalware softwares on the system.
  • Use Network Intrusion Prevention tools with latest signatures.
  • Spread awareness through regular training programs focused on phishing attacks.

 

Tactics, Techniques and Procedures

Tactics
Techniques
Initial Access
T1189 Drive-by Compromise
T1566.001 Spear Phishing Attachment
Privilege Escalation
T1055.001 Dynamic-link Library Injection
T1055.012 Process Hollowing
Defense Evasion
T1112 Modify Registry
T1497 Virtualization/Sandbox Evasion
Discovery
T1497 Virtualization/Sandbox Evasion
Collection
T1056.001 Keylogging
T1185 Man in the Browser
Command and Control
T1573 Encrypted Channel
T1090.003 Multi-hop Proxy

 

Indicators of Compromise

FileHash
af6cc661c03857f4cbf6c325ebe27743
e1afd2e8f7dd3ce55d8794f1e7e396fe
b4cd27f2b37665f51eb9fe685ec1d373
2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f
63c62d6086a6cf2fcbb22a16c06eb0bc870cdb2f0bb029390d3bc815c06a6c6b
72c5eeb8807a4576340485377cacc582a3ca651c4632db06903c125be6692968
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
ec936b6bb7497ffb11577c14a9ab2860ec1dd705dc18225bbdab5bf57804bdbc
Domain
ylnfkeznzg7o4xjf[.]onion
URL
hxxp://ylnfkeznzg7o4xjf.onion/kpanel/connect[.]php

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.