Incident Response, Malware, TDR

Fraudsters market new malware Kronos on underground

New malware called “Kronos” could soon make an appearance on victims' machines now that the threat is being advertised on the black market.

According to researchers at Trusteer, an IBM company, the financial malware, capable of stealing user credentials via form grabbing and HTML injection features, was first marketed last Thursday on a major Russian underground forum.

In a Friday blog post, Etay Maor, fraud prevention solutions manager at Trusteer, wrote that Kronos (which is also the name of the Greek god Zeus' father) boasts a titan-like price tag of $7,000 for a “lifetime product license” that includes free updates and bug removals by the malware author.

Trusteer published the original message about Kronos, which was posted on the underground forum.

“Compatible with 64- and 32-bit [Windows machines, the] rootkit trojan is equipped with the tools to give you successful banking actions,” the malware's seller said, meaning the rootkit feature could give saboteurs admin level control of infected computers, as well as operate despite other malware present on the machines.

According to Maor, in addition to the trojan's form-grabbing functionalities in Chrome, Internet Explorer and Firefox browsers, HTML injection files “used by Zeus operators can be easily implemented with Kronos,” he wrote.

In a Monday interview with, George Tubin, senior security strategist at Trusteer, said that the most concerning of the new malware's features were its tactics to evade anti-virus and other security measures.

Of note, Kronos is expected to use an undetected injection method to bypass AV, as well as encrypted command-and-control communications so that malicious traffic is not seen by researchers, the blog post said.

“We are trying to get our hands on a sample of the malware to see if it does what they claim it does,” Tubin said. “We wanted to get this [information] out as soon as we can, as this is the very early stages.”

He later added that, the hefty price tag would likely come down the longer the threat remains on the market – and stays on analysts' radars.

"When you come up with a new malware family, you can demand a little bit of a premium,” Tubin said. “It's supply and demand…and we'll certainly see the price come down to normal levels.”

Aside from the $7,000 lifetime product license, Kronos's seller also said that for $1,000 interested buyers can purchase a one-week testing phase where they'll have “full access” to the malware's control panel.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.