Threat Management, Incident Response, Malware, TDR

Banking trojan KINS resembles architecture of Zeus, targets Windows users


A new banking trojan designed to steal financial information from Windows users is up for sale, and researchers may be mixing it up with other malware.

Dubbed “KINS” by its developers, the trojan is expected to be a long-awaited replacement for other financial malware, like Zeus, SpyEye and the Citadel.  

KINS is the “ideal candidate” for cyber criminals in search of the next major banking trojan because it's commercially available, easy to use (much like Zeus) and is offered with technical support, Limor Kessem, a cyber crime and online fraud expert at RSA's FraudAction Research Lab, said in a Tuesday blog post.

RSA researchers discovered early mentions of KINS in February on online Russian forums, but it wasn't until late last month that the trojan's author began selling it for $5,000 via WebMoney, an online money transfer system.

But Kessem told that the trojan's author appears to be lying when he says it was “developed from scratch” and not a modification of a previous piece of malware.

One indicator of this was that an online advertisement said KINS can terminate itself if Russian or Ukrainian languages are detected on a victim's computer – a means of avoiding law enforcement and a feature first introduced by the Citadel trojan in January 2012.

KINS is also compatible with malicious plug-ins and features of Zeus and SpyEye, Kessem explained.

“This first thing [the developer] said is that he programmed it from scratch, but when you look at it, it looks too familiar,” Kessem said. “It's compatible with Zeus web injections, for instance. When we get a sample, we are going to analyze the malware and see what it's built on, but we are not buying the ‘I wrote it from scratch' bit."

KINS also comes with a dynamic-link library (DLL) capability, which allows the malware to drop a small malicious file initially, which could go undetected by anti-virus software, before initiating other malicious add-ons and tricks.

The trojan spread through popular exploit kits, including Neutrino, a newer toolkit discovered by researchers in March.

Fraudsters are also packaging KINS with a remote desktop protocol (RDP) feature that provides them with remote access to infected machines.

Kessem said that as anti-virus continues to play catch-up, it's too early to estimate how many samples of KINS have infected Windows users.

"There are not enough samples out in the wild yet," she said. "We do know of fraudsters using it, but [researchers] may think it's something else at first. It's possible that in the first phase they are not realizing it's new malware."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.