Researchers from Proofpoint have announced the discovery of a brand new remote access trojan, and an upgraded version of an old banking trojan — both of which have been used in recent phishing campaigns.
The RAT, a modular malware program called Parasite HTTP, was observed for sale on dark web marketplaces, offering such features as sandbox detection, anti-debugging and anti-emulation. The banking trojan is a new version of Kronos, the malware U.S. federal prosecutors allege was created by Marcus Hutchins, the hacker who found a kill switch to stop the 2017 WannaCry ransomware attacks.
According to a Proofpoint blog post today, Parasite HTTP has already been used in at least one small email phishing campaign, which targeted “human resources distribution lists as well as some individual recipients at a range of organizations.” The email messages contained what appeared to be resumes from prospective job applicants, but were actually Microsoft Word attachments armed with malicious macros capable of downloading the trojan.
Written in C, the malware “contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” Proofpoint reports.
Meanwhile, the new Kronos variant began surfacing in the wild in April 2018, emerging in series of campaigns that have so far targeted users in Germany, Japan and Poland, Proofpoint reports in a second, unrelated blog post.
The malware reportedly uses a combination of man-in-the-browser techniques and webinject rules to modify financial institutions web pages, allowing attackers to steal victims’ banking information and conduct fraudulent fund transfers. Its newest feature: a refactored command-and-control mechanism that can now use the Tor network to ensure anonymity during communications.
Proofpoint researchers believe someone may be advertising the new variant on dark web sites as Osiris — noting that the timing of the ad and the various special features it touts line up with the emergence of the new Kronos.
Proofpoint has detected four campaigns so far involving the upgraded Kronos. From June 27-30, the malware was used in an email phishing campaign that impersonated German financial companies with generic subject lines like “Updating our terms and conditions.” This operation relied on a combination of malicious macros and the Smoke Loader downloader program to infect Germans with Kronos.
The next campaign took place on July 13 and targeted customers of Japanese financial institutions, this time using malvertising techniques to redirect online users to compromised web pages distributing Kronos via SmokeLoader.
On July 15 another email phishing campaign targeted recipients in Poland with fake invoice documents containing a malicious attachment that downloaded Kronos via an exploit of CVE-2017-11882, a remote code execution vulnerability in the Microsoft Equation Editor component of Microsoft Office (patched in 2017).
The most recent campaign, observed on July 20, appears to be a work in process, says Proofpoint — although it’s believed that the infection is executed when users click on a malicious button found on a website for a purported streaming music player.
Proofpoint writes that Kronos’ latest comeback “is consistent with the increased prevalence of bankers across the threat landscape. The first half of this year has been marked by substantial diversity among malicious email campaigns but banking trojans in particular have predominated.”