{"id":8807,"date":"2017-08-18T08:10:04","date_gmt":"2017-08-18T16:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/18\/news-2580\/"},"modified":"2017-08-18T08:10:04","modified_gmt":"2017-08-18T16:10:04","slug":"news-2580","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/18\/news-2580\/","title":{"rendered":"Inside the Kronos malware &#8211; part 1"},"content":{"rendered":"<p><strong>Credit to Author: hasherezade| Date: Fri, 18 Aug 2017 15:14:29 +0000<\/strong><\/p>\n<p>Recently, a researcher nicknamed MalwareTech famous from stopping the WannaCry ransomware, got arrested for his alleged contribution into creating the Kronos banking malware. We are still not having a clear picture whether the allegations are true or not &#8211; but let&#8217;s have a look at Kronos itself.<\/p>\n<h3>Background<\/h3>\n<p>This malware has been first advertised on the black market since around July 2014, by an individual nicknamed VinnyK, writing in Russian:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19165\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/advert.jpg\" alt=\"\" width=\"824\" height=\"586\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/advert.jpg 824w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/advert-300x213.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/advert-600x427.jpg 600w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/p>\n<p>Source: <a href=\"https:\/\/twitter.com\/x0rz\/status\/893191612662153216\" target=\"_blank\" rel=\"noopener\">https:\/\/twitter.com\/x0rz\/status\/893191612662153216<\/a><\/p>\n<p>The full text of the advertisement, translated to English, has been included in the <a href=\"http:\/\/securityintelligence.com\/the-father-of-zeus-kronos-malware-discovered\/\" target=\"_blank\" rel=\"noopener\">IBM&#8217;s Security Intelligence article<\/a>.<\/p>\n<p>We found Kronos being spread by various exploit kits, i.e. Sundown (more information <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/10\/new-looking-sundown-ek-drops-smoke-loader-kronos-banker\/\" target=\"_blank\" rel=\"noopener\">here<\/a>). The malware is being distributed up to now &#8211; some of the recent samples has been <a href=\"https:\/\/zerophagemalware.com\/2017\/07\/14\/rig-ek-delivers-kronos-banker\/\" target=\"_blank\" rel=\"noopener\">captured about a month ago, dropped from Rig EK<\/a>.<\/p>\n<p>Nowadays, Kronos is often used for the purpose of downloading other malware. One of the campaigns using Kronos as a downloader was <a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\" target=\"_blank\" rel=\"noopener\">described by Proofpoint<\/a>.<\/p>\n<h3>Analyzed samples<\/h3>\n<p>Samples from 2014:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/3bd4b8caf9ae975bd41dbee1f1719cf7be3efa4f52b8768aba30ba9a40569008\/analysis\/\" target=\"_blank\" rel=\"noopener\">01901882c4c01625fd2eeecdd7e6745a<\/a>\u00a0 &#8211; first observed sample of Kronos (thanks to <a href=\"https:\/\/twitter.com\/GossiTheDog\" target=\"_blank\" rel=\"noopener\">Kevin Beaumont<\/a>)<\/li>\n<li><em>f085395253a40ce8ca077228c2322010<\/em> &#8211; sample from the <a href=\"https:\/\/www.lexsi.com\/securityhub\/overview-kronos-banking-malware-rootkit\/?lang=en\" target=\"_blank\" rel=\"noopener\">Lexsi article<\/a>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/4181d8a4c2eda01094ca28d333a14b144641a5d529821b0083f61624422b25ed\/analysis\/1502307205\/\" target=\"_blank\" rel=\"noopener\">a81ba5f3c22e80c25763fe428c52c758<\/a> &#8211; Kronos (final payload)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/ea216cede2a1eff5d76a2f8258d4a89d822f45c3951c5a4734c16ce163153a8f\/analysis\/1502307222\/\" target=\"_blank\" rel=\"noopener\">6c64c708ebe14c9675813bf38bc071cf<\/a> &#8211; injlib-client.dll (module of Kronos)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Sample #1 (from 2016)<\/p>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/e420e521f891c1a6245e377dc7a6ab70458b7c0d77ad39535cb59018a542fe15\/analysis\/\" target=\"_blank\" rel=\"noopener\">2452089b4a9d889f94843430a35fa34f<\/a> &#8211; packed\n<ul>\n<li><strong><a href=\"https:\/\/virustotal.com\/en\/file\/aad98f57ce0d2d2bb1494d82157d07e1f80fb6ee02dd5f95cd6a1a2dc40141bc\/analysis\/\" target=\"_blank\" rel=\"noopener\">9818958e65a0a71e29a2f5e7ffa650ca<\/a> &#8211; Kronos (final payload) &lt;- main focus of this analysis<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Sample #2 (from 2017):<\/p>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8\/analysis\/\" target=\"_blank\" rel=\"noopener\">de9ab737905e09b69b28dc0999d08894<\/a> &#8211; packed\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/0457d848132769424673221e3eb598dc2711bcebd3b5d44d1b0bdcb5b7d27f95\/analysis\/1502119116\/\" target=\"_blank\" rel=\"noopener\">4f5006835669d72c6ce121e66b3034d7<\/a> &#8211; loader (second stage)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/cd5c2bb8d7d3ba9dc522dae112133956096ffae465a7b21c8f3d3124d070f675\/analysis\/1502119090\/\" target=\"_blank\" rel=\"noopener\">b8986fe9e40f613804aee29b34896707<\/a> &#8211; Kronos (final payload)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/#\/file\/f9601f695ee80b14e7ecf3c1988bacade7f50f6886f1a89c6f98d0b162959709\/details\" target=\"_blank\" rel=\"noopener\">cb7e33e5ede49301e7cd9218addd5c29<\/a> &#8211; DLL module<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>After being run, Kronos installs itself in a new folder (<em>%APPDATA%\/Microsoft\/[machine-specific GUID]<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19244\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/install_dir.png\" alt=\"\" width=\"589\" height=\"122\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/install_dir.png 589w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/install_dir-300x62.png 300w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/p>\n<p>The dropped sample has a hidden attribute.<\/p>\n<p>Persistence is achieved with the help of a simple <em>Run<\/em> key:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19246\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run_key.png\" alt=\"\" width=\"784\" height=\"39\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run_key.png 784w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run_key-300x15.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run_key-600x30.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run_key-767x39.png 767w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/p>\n<p>At the beginning of the execution, the malware modifies the Firefox profile, overwriting <em>user.js<\/em> with the following content:<\/p>\n<pre>user_pref(\"network.cookie.cookieBehavior\", 0);  user_pref(\"privacy.clearOnShutdown.cookies\", false);  user_pref(\"security.warn_viewing_mixed\", false);  user_pref(\"security.warn_viewing_mixed.show_once\", false);  user_pref(\"security.warn_submit_insecure\", false);  user_pref(\"security.warn_submit_insecure.show_once\", false);  user_pref(\"app.update.auto\", false);  user_pref(\"browser.safebrowsing.enabled\", false);  user_pref(\"network.http.spdy.enabled\", false);  user_pref(\"network.http.spdy.enabled.v3\", false);  user_pref(\"network.http.spdy.enabled.v3-1\", false);  user_pref(\"network.http.spdy.allow-push\", false);  user_pref(\"network.http.spdy.coalesce-hostnames\", false);  user_pref(\"network.http.spdy.enabled.deps\", false);  user_pref(\"network.http.spdy.enabled.http2\", false);  user_pref(\"network.http.spdy.enabled.http2draft\", false);  user_pref(\"network.http.spdy.enforce-tls-profile\", false);  user_pref(\"security.csp.enable\", false);  <\/pre>\n<p>The new settings are supposed to give to the malware more control over the browser&#8217;s behavior and downgrade the security settings. Then, the malware injects itself into <em>svchost<\/em>, and continues running from there. We can find it listening on local sockets.<\/p>\n<p>It is worth noting, that Kronos deploys a simple <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/12\/simple-userland-rootkit-a-case-study\/\" target=\"_blank\" rel=\"noopener\">userland rootkit<\/a>, that hides the infected process from the monitoring tools. So, the process running the main module may not be visible. The rootkit is, however, not implemented in a very reliable way, and the effect of hiding does not always work.<\/p>\n<p>Whenever some browser is deployed. Kronos injects its module there and connects with the main module, that runs inside the svchost process. Looking at the TCP connections established by the particular processes (i.e. using <em>ProcessExplorer<\/em>), we can see that a browser is paired with the infected <em>svchost<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19268\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/connected_browser-1.png\" alt=\"\" width=\"450\" height=\"435\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/connected_browser-1.png 450w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/connected_browser-1-300x290.png 300w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/p>\n<p>This trick is often used by banking trojans for the purpose of stealing data from the browser. The module injected in the browser hooks the used API and steals the data. After that, it sends this data to the main module that process it further, and reports to the CnC.<\/p>\n<h3>Network communication<\/h3>\n<p>The analyzed sample was connecting to CnCs at two addresses:<\/p>\n<pre>http:\/\/springalove.at:80\/noix\/connect.php  http:\/\/springahate.at:80\/noix\/connect.php  <\/pre>\n<p>At the time of analysis, each CnC was dead (sinkholed), but still we could spot some patterns typical for this malware family.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19275\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/queries_cnc.png\" alt=\"\" width=\"456\" height=\"49\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/queries_cnc.png 456w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/queries_cnc-300x32.png 300w\" sizes=\"auto, (max-width: 456px) 100vw, 456px\" \/><\/p>\n<p>First, the malware sends a beacon that is 74 bytes long:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19277\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon1.png\" alt=\"\" width=\"686\" height=\"156\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon1.png 686w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon1-300x68.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon1-600x136.png 600w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/p>\n<p>Then, follows another chunk of data:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19278\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/packet_sent2.png\" alt=\"\" width=\"696\" height=\"415\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/packet_sent2.png 696w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/packet_sent2-300x179.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/packet_sent2-600x358.png 600w\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" \/><\/p>\n<p>In both cases we can see that the requests are obfuscated by XOR with random character. This is how the beacon looks after being XOR-decoded:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19286\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_decrypted.png\" alt=\"\" width=\"703\" height=\"93\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_decrypted.png 703w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_decrypted-300x40.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_decrypted-600x79.png 600w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><\/p>\n<p>We can see that all the requests start from the same header, including the GUID specific to the infected machine.<\/p>\n<p>Detailed research about decrypting Kronos communication has been already described <a href=\"https:\/\/www.lexsi.com\/securityhub\/kronos-decrypting-the-configuration-file-and-injects\/?lang=en\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<h3>Inside<\/h3>\n<h4>Interesting strings<\/h4>\n<p>Like most malware, Kronos is distributed packed by various packers\/crypters. After unpacking the first layer, we get the malicious payload. We can easily identify Kronos by the typical strings used:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19166\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_strings.png\" alt=\"\" width=\"350\" height=\"80\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_strings.png 350w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_strings-300x69.png 300w\" sizes=\"auto, (max-width: 350px) 100vw, 350px\" \/><\/p>\n<p>There are more strings that are typical for this particular malware:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19188\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hashes.png\" alt=\"\" width=\"214\" height=\"210\" \/><\/p>\n<p>Those strings are hashes used to dynamically load particular imported functions. Malware authors use this method to obfuscate used API functions, and by this way, hide the real mission of their tool. Instead of loading function using its explicit name, they enumerate all imports in a particular DLL, calculate hashes of their names, and if the hash matches the hardcoded one, they load that function.<\/p>\n<p>Although the approach is common, the implementation seen in Kronos is not typical. Most malware stores hashes in the form of DWORDs, while Kronos stores them as strings.<\/p>\n<p>Inside the early samples of Kronos, we can find a path to the debug symbols, revealing the structure of directories on the machine where the code was built. The following path was extracted from one of the Kronos samples observed in wild (<a href=\"https:\/\/www.virustotal.com\/en\/file\/3bd4b8caf9ae975bd41dbee1f1719cf7be3efa4f52b8768aba30ba9a40569008\/analysis\/\" target=\"_blank\" rel=\"noopener\">01901882c4c01625fd2eeecdd7e6745a<\/a>):<\/p>\n<pre>C:UsersRootDesktopkronosVJF1BinariesReleaseVJF.1.pdb  <\/pre>\n<p>The PDB path can be also found in the DLL (<a href=\"https:\/\/virustotal.com\/en\/file\/ea216cede2a1eff5d76a2f8258d4a89d822f45c3951c5a4734c16ce163153a8f\/analysis\/1502307222\/\" target=\"_blank\" rel=\"noopener\">6c64c708ebe14c9675813bf38bc071cf<\/a>) that belongs to the release of Kronos from 2014:<\/p>\n<pre>C:UsersRootDownloadsKronos2VJF1Botinjlibbininjlib-client-Releaseinjlib-client.pdb  <\/pre>\n<p>This module, <em>injlib-client.dll<\/em>, is the part injected into browsers. In the newer version of Kronos, analogical DLL can be found, however, the PDB path is removed.<\/p>\n<h4>Injection into svchost<\/h4>\n<p>The main module of Kronos injects itself into <em>svchost<\/em> (version from 2014 injects into <em>explorer<\/em> instead). In order to achieve this initial injection, the malware uses a known technique, involving the following steps:<\/p>\n<ol>\n<li>creates the <em>svchost<\/em> process as suspended<\/li>\n<li>maps its sections into its own address space<\/li>\n<li>modifies the sections, adding its own code and patching the entry point in order to redirect the execution there<\/li>\n<li>resumes the suspended process, letting the injected code execute<\/li>\n<\/ol>\n<p>Below, you can see the memory inside the infected svchost (in early versions, the injection was targeting explorer). The malware is added in a new, virtual section &#8211; in the given example, mapped as 0x70000:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19200\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/processes.png\" alt=\"\" width=\"625\" height=\"241\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/processes.png 625w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/processes-300x116.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/processes-600x231.png 600w\" sizes=\"auto, (max-width: 625px) 100vw, 625px\" \/><\/p>\n<p>This is how the patched entry point of svchost looks like &#8211; as we can see, execution is redirected to the address that lies inside the added section (injected malware):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19196\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/patched_ep.png\" alt=\"\" width=\"708\" height=\"118\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/patched_ep.png 708w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/patched_ep-300x50.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/patched_ep-600x100.png 600w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/p>\n<p>The execution of the injected PE file starts in a different function now &#8211; at RVA 0x11AB0:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19290\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirected_ep.png\" alt=\"\" width=\"753\" height=\"126\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirected_ep.png 753w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirected_ep-300x50.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirected_ep-600x100.png 600w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><\/p>\n<p>&#8211; while the original Entry Point of the malware was at RVA 0x12F22:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19216\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original_ep.png\" alt=\"\" width=\"493\" height=\"131\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original_ep.png 493w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original_ep-300x80.png 300w\" sizes=\"auto, (max-width: 493px) 100vw, 493px\" \/><\/p>\n<p>The malware defends itself from the analysis, and in case of the VM or debugger being detected, sample will crash soon after the injection.<\/p>\n<h4>Running sample from new Entry Point<\/h4>\n<p>The main operations of the malware starts inside the injected module. This is how the new Entry Point looks like:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19293\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injected_ep.png\" alt=\"\" width=\"426\" height=\"208\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injected_ep.png 426w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injected_ep-300x146.png 300w\" sizes=\"auto, (max-width: 426px) 100vw, 426px\" \/><\/p>\n<p>The main function is responsible for loading all the imports, and then deploying the malicious actions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19375\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/main_stage-3.png\" alt=\"\" width=\"691\" height=\"576\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/main_stage-3.png 691w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/main_stage-3-300x250.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/main_stage-3-600x500.png 600w\" sizes=\"auto, (max-width: 691px) 100vw, 691px\" \/><\/p>\n<p>If you are an analyst trying to run Kronos from that point of the execution, below you will find some tips.<\/p>\n<p>The first block of the function is responsible for filling the import table of the injected module. If we want to run the sample from that point, rather then following it when it is injected, there are some important things to notice. First of all, the loader is supposed to fill some variables inside the injected executable, i.e. the variable <em>module_base<\/em>. Other functions will refer to this, so, if it does not contain the valid value, the sample will crash. Also, the functions filling the imports expects that the section <em>.rdata<\/em> (containing the thunks to be filled), is set as writable. It will be set as writable in case when the sample is injected, because then, the full PE is mapped in a memory region with RWX (read-write-execute) access rights. However, in the normal case &#8211; when the sample is run from the disk &#8211; it is not. That&#8217;s why, in order to pass this stage, we need to change the access rights to the section manually.<\/p>\n<p>Another option is to run Kronos sample starting from the next block of the main function. This is also leads to successful execution, because in case if the sample is run from the disk rather than injected, imports are filled by windows loader and doing it manually is just redundant.<\/p>\n<p>The last issue to bypass are the defensive check, described below.<\/p>\n<h4>Defensive tricks<\/h4>\n<p>The malware deploys defense by making several environment checks. The checks are pretty standard &#8211; searching blacklisted processes, modules etc. The particular series of checks are called from inside one function, and results are stored as flags set in a dedicated variable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19281\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/deploy_defense.png\" alt=\"\" width=\"385\" height=\"198\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/deploy_defense.png 385w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/deploy_defense-300x154.png 300w\" sizes=\"auto, (max-width: 385px) 100vw, 385px\" \/><\/p>\n<p>If the debugger\/VM is detected, the variable has a non-zero value. Further, the positive result of this check is used to make the malware crash, interrupting the analysis.<\/p>\n<p>The crash is implemented by taking an execution path inappropriate to the architecture where the sample was deployed. The malware is a 32 bit PE file, but it have a bit different execution paths, depending if it is deployed on 32 or 64 bit system. First, the malware fingerprints the system and sets the flag indicating the architecture:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19292\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/getting_architecture_info.png\" alt=\"\" width=\"321\" height=\"92\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/getting_architecture_info.png 321w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/getting_architecture_info-300x86.png 300w\" sizes=\"auto, (max-width: 321px) 100vw, 321px\" \/><\/p>\n<pre>DWORD is_system64_bit()  {  \tDWORD flag = 0;  \t__asm {  \t\txor eax, eax  \t\tmov ax, cs  \t\tshr eax, 5  \t\tmov flag, eax  \t};  \treturn flag;  }<\/pre>\n<p><em>This trick uses observations about typical values of CS registry on different versions of Windows (more information <a href=\"https:\/\/github.com\/corkami\/docs\/blob\/master\/InitialValues.md\" target=\"_blank\" rel=\"noopener\">here<\/a>). It is worth to note, that it covers most but not all the cases, and due to this on some versions of Windows the malware may not run properly.<\/em><br \/> If the debugger\/VM is detected, the flag indicating the architecture is being flipped:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19285\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flip_the_flag.png\" alt=\"\" width=\"393\" height=\"207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flip_the_flag.png 393w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flip_the_flag-300x158.png 300w\" sizes=\"auto, (max-width: 393px) 100vw, 393px\" \/><\/p>\n<p>That&#8217;s why, the sample crashes on the next occasion when the architecture-specific path of execution should be taken.<\/p>\n<p>For example, if the sample is deployed on 64 bit machine, under Wow64, the syscall can be performed by using the address pointed by FS:[0xC]. But if the malware runs on a 32 bit machine, the value pointed by FS:[0xC] will be NULL, thus, calling it crashes the sample.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19295\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/choose_syscall_type.png\" alt=\"\" width=\"637\" height=\"395\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/choose_syscall_type.png 637w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/choose_syscall_type-300x186.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/choose_syscall_type-600x372.png 600w\" sizes=\"auto, (max-width: 637px) 100vw, 637px\" \/><\/p>\n<p>This way of interrupting analysis is smart &#8211; sample does not exit immediately after the VM\/debugger is detected, and it makes it harder to find out what was the reason of the crash.<\/p>\n<h4>Using raw syscalls<\/h4>\n<p>As mentioned in the previous paragraph, Kronos uses raw syscalls. Syscall basically means an interface that allows to call some function implemented by kernel from the user mode. Applications usually use them via API exported by system DLLs (detailed explanation you can find i.e. <a href=\"https:\/\/www.evilsocket.net\/2014\/02\/11\/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods\/\" target=\"_blank\" rel=\"noopener\">on EvilSocket&#8217;s blog<\/a>).<\/p>\n<p>Those API calls can be easily tapped by monitoring tools. That&#8217;s why, some malware, for the sake of being stealthier reads the syscalls numbers from the appropriate DLLs, and calls them by it&#8217;s own code, without using the DLL as a proxy. This trick has been used i.e. by <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/11\/floki-bot-and-the-stealthy-dropper\/\" target=\"_blank\" rel=\"noopener\">Floki bot<\/a>.<\/p>\n<p>Let&#8217;s have a look how is it implemented in Kronos. First, it fetches appropriate numbers of the syscalls from the system DLLs. As mentioned before, functions are identified by hashes of their names (full mapping hash-to-function you can find in <a href=\"https:\/\/www.lexsi.com\/securityhub\/overview-kronos-banking-malware-rootkit\/?lang=en\" target=\"_blank\" rel=\"noopener\">Lexsi report<\/a>).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19297\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fetch_syscalls.png\" alt=\"\" width=\"607\" height=\"196\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fetch_syscalls.png 607w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fetch_syscalls-300x97.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fetch_syscalls-600x194.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fetch_syscalls-604x196.png 604w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/p>\n<p>For example:<\/p>\n<pre>B6F6X4A8R5D3A7C6 -&gt; NtQuerySystemInformation  <\/pre>\n<p>The numbers of syscalls are stored in variables, xored with a constant. Fragment of the code responsible for extracting raw syscalls from the DLL:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19328\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/read_raw_syscall.png\" alt=\"\" width=\"547\" height=\"171\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/read_raw_syscall.png 547w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/read_raw_syscall-300x94.png 300w\" sizes=\"auto, (max-width: 547px) 100vw, 547px\" \/><\/p>\n<p>In order to use them further, for every used syscall Kronos implements it&#8217;s own wrapper function with appropriate number of parameters. You can see an example below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19296\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/syscall_interface.png\" alt=\"\" width=\"544\" height=\"100\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/syscall_interface.png 544w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/syscall_interface-300x55.png 300w\" sizes=\"auto, (max-width: 544px) 100vw, 544px\" \/><\/p>\n<p>The EAX registry contains the number of the syscall. In the given example, it represents the following function:<\/p>\n<pre>00000105 -&gt; NtQuerySystemInformation  <\/pre>\n<p>Kronos uses raw syscalls to call the functions that are related to injections to other processes, because they usually trigger alerts. Functions that are called by this way are listed below:<\/p>\n<pre>NtAllocateVirtualMemory  NtCreateFile  NtCreateSection  NtGetContextThread  NtOpenProcess  NtProtectVirtualMemory  NtQueryInformationProcess  NtQuerySystemInformation  NtResumeThread  NtSetContextThread  NtSetValueKey  <\/pre>\n<p>It matches the black market advertisement, stating: &#8220;<em>The Trojan uses an undetected injection method<\/em>&#8221; (<a href=\"http:\/\/securityintelligence.com\/the-father-of-zeus-kronos-malware-discovered\/\" target=\"_blank\" rel=\"noopener\">source<\/a>).<\/p>\n<h4>Rootkit and the hooking engine<\/h4>\n<p>One of the features that malware provides is a userland rootkit. Kronos hooks API of the processes, so that they will not be able to notice its presence. The hooking is done by a specially crafted block of the shellcode, that is implanted in each accessible running process.<\/p>\n<p>First, Kronos prepares the block of shellcode to be implanted. It fills all the neccessery data: addresses of functions that are going to be used, and the data specific to the malware installation, that are intended to be hidden.<\/p>\n<p>Then, it searches through the running processes and tries to make injection wherever it is possible. Interestingly, <em>explorer.exe<\/em> and <em>chrome.exe<\/em> are ommitted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19371\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injecting_function.png\" alt=\"\" width=\"688\" height=\"378\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injecting_function.png 688w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injecting_function-300x165.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injecting_function-600x330.png 600w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/p>\n<p>The shellcode is deployed in a new thread within the infected process:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19372\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/map_and_run.png\" alt=\"\" width=\"753\" height=\"213\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/map_and_run.png 753w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/map_and_run-300x85.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/map_and_run-600x170.png 600w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><\/p>\n<p>Below you can see the shellocode inside the memory of the infected process:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19370\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_shellcode.png\" alt=\"\" width=\"598\" height=\"242\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_shellcode.png 598w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_shellcode-300x121.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/p>\n<p>When it runs, it hooks the following functions in the address space of the infected process:<\/p>\n<pre>ZwCreateFile  NtOpenFile  ZwQueryDirectoryFile  NtEnumerateValueKey  RtlGetNativeSystemInformation  NtSetValueKey  ZwDeleteValueKey  ZwQueryValueKey  NtOpenProcess  <\/pre>\n<p>The interesting thing about this part of Kronos is its similarity with a hooking engine described <a href=\"https:\/\/www.malwaretech.com\/2015\/01\/inline-hooking-for-programmers-part-2.html\" target=\"_blank\" rel=\"noopener\">by MalwareTech on his blog in January 2015<\/a>. Later, he <a href=\"https:\/\/twitter.com\/MalwareTechBlog\/status\/564175340667695104\" target=\"_blank\" rel=\"noopener\">complained in his tweet, that cybercriminals stolen and adopted his code<\/a>. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. <a href=\"http:\/\/www.rohitab.com\/discuss\/topic\/33771-patch-hook\/?p=10062694\" target=\"_blank\" rel=\"noopener\">here<\/a>, <em>\/\/thanks to\u00a0 <a href=\"https:\/\/twitter.com\/xorsthings\" target=\"_blank\" rel=\"noopener\">@xorsthings<\/a> for the link<\/em> ), and both authors learned it from other sources rather than inventing it.<\/p>\n<p>Let&#8217;s have a look at the technique itself. During hooking, one may experience concurrency issues. If a half-overwritten function will start to be used by another thread, the application will crash. To avoid this, it is best to install a hook by a single assembly instruction. MalwareTech described a idea of utilizing for this purpose an instruction <strong>lock cmpxch8b<\/strong>. The same trick and similar implementation can be found in Kronos.<\/p>\n<p>The hooking function used by Kronos takes two parameters &#8211; the address of function to be hooked, and the address of function used as a proxy. This is the fragment of the implanted shellcode where the hooking function is being called:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19356\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/list_of_hooks_set.png\" alt=\"\" width=\"609\" height=\"566\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/list_of_hooks_set.png 609w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/list_of_hooks_set-300x279.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/list_of_hooks_set-600x558.png 600w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/p>\n<p>First, the hooking function searches the suitable place in the code of the attacked function, where the hook can be installed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19367\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/find_length.png\" alt=\"\" width=\"635\" height=\"491\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/find_length.png 635w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/find_length-300x232.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/find_length-600x464.png 600w\" sizes=\"auto, (max-width: 635px) 100vw, 635px\" \/><\/p>\n<p>The above code is an equivalent of the following:<\/p>\n<p><a href=\"https:\/\/github.com\/MalwareTech\/BasicHook\/blob\/master\/BasicHook\/hook.cpp#L103\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/MalwareTech\/BasicHook\/blob\/master\/BasicHook\/hook.cpp#L103<\/a><\/p>\n<p>Then, it installs the hook:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19366\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/install_the_hook-1.png\" alt=\"\" width=\"506\" height=\"372\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/install_the_hook-1.png 506w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/install_the_hook-1-300x221.png 300w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\" \/><\/p>\n<p>As we can see, the used method of\u00a0 installing hook is almost identical to:<\/p>\n<p><a href=\"https:\/\/github.com\/MalwareTech\/BasicHook\/blob\/master\/BasicHook\/hook.cpp#L77\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/MalwareTech\/BasicHook\/blob\/master\/BasicHook\/hook.cpp#L77<\/a><\/p>\n<p>Below you can see an example of Kronos hooking a function <em>ZwResumeThread<\/em> in the memory of the attacked process. Instruction <strong>lock cmxch8b<\/strong> is indeed used to overwrite the function&#8217;s beginning:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19368\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_before.png\" alt=\"\" width=\"606\" height=\"196\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_before.png 606w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_before-300x97.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_before-600x194.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_before-604x196.png 604w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/p>\n<p>After the hook installation, whenever the infected process calls the hooked function, the execution is redirected to the proxy code inside the malicious module:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19369\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_after.png\" alt=\"\" width=\"589\" height=\"198\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_after.png 589w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/hooking_zw_resumethread_after-300x101.png 300w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/p>\n<p>The hooking engine used in Kronos is overall more sophisticated. First of all, even the fact that it is a shellcode not a PE file makes a difficulty level of implementing it higher. The author must have taken care of filling all the functions addresses by his own. But also, the author of Kronos shown some more experience in predicting possible real-life scenarios. For example he took additional care for checking if the code was not already hooked (i.e. by other trojans or monitoring tools):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19374\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/check_if_hooked.png\" alt=\"\" width=\"626\" height=\"451\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/check_if_hooked.png 626w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/check_if_hooked-300x216.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/check_if_hooked-600x432.png 600w\" sizes=\"auto, (max-width: 626px) 100vw, 626px\" \/><\/p>\n<h4>Attacking browsers<\/h4>\n<p>The malware injects into a browser an additional module (<em>injlib-client.dll<\/em>). Below we can see an example of the DLL injected into Firefox address space:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19269\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injected_ffox.png\" alt=\"\" width=\"589\" height=\"263\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injected_ffox.png 589w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/injected_ffox-300x134.png 300w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/p>\n<p>The malware starts the injected module with the help of the injected shellcode:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19270\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirect_to_dll.png\" alt=\"\" width=\"398\" height=\"295\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirect_to_dll.png 398w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/redirect_to_dll-300x222.png 300w\" sizes=\"auto, (max-width: 398px) 100vw, 398px\" \/><\/p>\n<p>We an see some API redirections added by the malware. Some of the functions imported by the attacked browser are hooked, so that all the data that passes through them is tapped by the Kronos module.<\/p>\n<p>The data that is being grabbed using the hooked browser API is then sent to the main module, that is coordinating malware&#8217;s work and reporting to the CnC server.<\/p>\n<h3>Conclusion<\/h3>\n<p>An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions. The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but used them in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster.<\/p>\n<h3>Appendix<\/h3>\n<p><a href=\"https:\/\/www.lexsi.com\/securityhub\/overview-kronos-banking-malware-rootkit\/?lang=en\" target=\"_blank\" rel=\"noopener\">https:\/\/www.lexsi.com\/securityhub\/overview-kronos-banking-malware-rootkit\/?lang=en<\/a> &#8211; &#8220;Overview of the Kronos banking malware rootkit&#8221; by Lexsi<\/p>\n<p><a href=\"https:\/\/www.lexsi.com\/securityhub\/kronos-decrypting-the-configuration-file-and-injects\/?lang=en\" target=\"_blank\" rel=\"noopener\">https:\/\/www.lexsi.com\/securityhub\/kronos-decrypting-the-configuration-file-and-injects\/?lang=en<\/a> &#8211; Decrypting the configuration<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/\">Inside the Kronos malware &#8211; part 1<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: hasherezade| Date: Fri, 18 Aug 2017 15:14:29 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/' title='Inside the Kronos malware - part 1'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2013\/11\/security-threat-category-hacked-unpaced.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>The first part of this research looks at the tricks used by the Kronos banking malware.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/malware\/\" rel=\"category tag\">Malware<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/banker\/\" rel=\"tag\">banker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/kronos\/\" rel=\"tag\">kronos<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malwaretech\/\" rel=\"tag\">malwaretech<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/' title='Inside the Kronos malware - part 1'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/\">Inside the Kronos malware &#8211; part 1<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[1763,4503,13840,3764,13326],"class_list":["post-8807","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-banker","tag-cybercrime","tag-kronos","tag-malware","tag-malwaretech"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8807"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8807\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8807"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}