{"id":8977,"date":"2017-08-29T08:10:12","date_gmt":"2017-08-29T16:10:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/29\/news-2750\/"},"modified":"2017-08-29T08:10:12","modified_gmt":"2017-08-29T16:10:12","slug":"news-2750","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/29\/news-2750\/","title":{"rendered":"Inside the Kronos malware &#8211; part 2"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 29 Aug 2017 15:00:00 +0000<\/strong><\/p>\n<p>In the <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/\" target=\"_blank\" rel=\"noopener\">previous part of the Kronos analysis<\/a>, we took a look at the installation process of Kronos and explained the technical details of the tricks that Kronos uses in order to remain more stealthy. Now we will move on to look at the malicious actions that Kronos can perform.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/4dea938fc2ea6e3ffc5706a1e57b2e0f42caecd7ec0f166a141900158584e58b?environmentId=100\" target=\"_blank\" rel=\"noopener\">ede01f7431543c1fef546f8e1d693a85<\/a> &#8211; downloader (a .doc with a malicious macro)\n<ul>\n<li><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/8389dd850c991127f3b3402dce4201cb693ec0fb7b1e7663fcfa24ef30039851?environmentId=100\" target=\"_blank\" rel=\"noopener\">2a550956263a22991c34f076f3160b49<\/a> &#8211; main bot (packed)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><em>Special thanks to <a href=\"https:\/\/twitter.com\/shotgunner101\" target=\"_blank\" rel=\"noopener\">@shotgunner101<\/a> and <a href=\"https:\/\/twitter.com\/chrisdoman\" target=\"_blank\" rel=\"noopener\">@chrisdoman<\/a> for sharing the samples.<\/em><\/p>\n<h3>Configuration and targets<\/h3>\n<p>Kronos is known as a banking Trojan. For the purpose of enabling and configuring this feature, the bot may download from its CnC additional configuration file. After being fetched, it is stored in the installation folder in encrypted form. (It is worth to notice that when the config is sent over the network it is encrypted using AES CBC mode &#8211; but when it is stored on the disk, AES in ECB mode is used.)<\/p>\n<p>Below you can see an example of the installation folder of Kronos, created in <code>%APPDATA%\/Microsoft<\/code>. The folder name is further used as a <code>BotId<\/code>. Both stored files, the executable and the configuration, has the same name that differs only by the extension:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19442\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_with_config.png\" alt=\"\" width=\"583\" height=\"144\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_with_config.png 583w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_with_config-300x74.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/p>\n<p>Here you can see the captured configuration file in a decrypted form:<\/p>\n<p><a href=\"https:\/\/gist.github.com\/malwarezone\/d6de3d53395849123596f5d9e68fe3a3#file-config-txt\" target=\"_blank\" rel=\"noopener\">https:\/\/gist.github.com\/malwarezone\/d6de3d53395849123596f5d9e68fe3a3#file-config-txt<\/a><\/p>\n<p>The format of the configuration follows the standard defined by the famous Zeus malware.<\/p>\n<p>The config specifies the external script that is going to be injected in the targeted website, as well as the place of the injection. Below you can see a fragment of the configuration for a sample target &#8211; <em>Wells Fargo Bank<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19452\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wells_fargo_config_fragment.png\" alt=\"\" width=\"970\" height=\"292\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wells_fargo_config_fragment.png 970w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wells_fargo_config_fragment-300x90.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wells_fargo_config_fragment-600x181.png 600w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/p>\n<p>In the given example, the injected script is <a class=\"tooltipped tooltipped-s css-truncate\" href=\"https:\/\/gist.github.com\/malwarezone\/d6de3d53395849123596f5d9e68fe3a3#file-figrabber-js\" target=\"_blank\" rel=\"noopener\"> <strong class=\"user-select-contain gist-blob-name css-truncate-target\"> figrabber.js <\/strong> <\/a><\/p>\n<p>It is hosted on the server of the attacker:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19447\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_formgrabber.png\" alt=\"\" width=\"790\" height=\"454\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_formgrabber.png 790w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_formgrabber-300x172.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_formgrabber-600x345.png 600w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/p>\n<p>The current configuration targets several banks, but also steals credentials for popular services like Google, Twitter, and Facebook.<\/p>\n<p>Indeed, if we open the websites that are targeted by the malware we can see that the injects has been performed. The fragments of code that were defined in the config are implanted in the source of a legitimate website. Some examples included below:<\/p>\n<p>Facebook:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19444\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/facebook_inject.png\" alt=\"\" width=\"1020\" height=\"338\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/facebook_inject.png 1020w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/facebook_inject-300x99.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/facebook_inject-600x199.png 600w\" sizes=\"auto, (max-width: 1020px) 100vw, 1020px\" \/><\/p>\n<p>Citibank:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19445\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/city_formgrabber_inj.png\" alt=\"\" width=\"1076\" height=\"339\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/city_formgrabber_inj.png 1076w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/city_formgrabber_inj-300x95.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/city_formgrabber_inj-600x189.png 600w\" sizes=\"auto, (max-width: 1076px) 100vw, 1076px\" \/><\/p>\n<p>The injected scripts are responsible for opening additional pop-up that is trying to phish the user and steal his\/her personal data:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19448\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/citi_fake.png\" alt=\"\" width=\"867\" height=\"614\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/citi_fake.png 867w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/citi_fake-300x212.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/citi_fake-600x425.png 600w\" sizes=\"auto, (max-width: 867px) 100vw, 867px\" \/><\/p>\n<p>Wells Fargo:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19449\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_source.png\" alt=\"\" width=\"952\" height=\"393\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_source.png 952w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_source-300x124.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_source-600x248.png 600w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19450\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_inj.png\" alt=\"\" width=\"824\" height=\"698\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_inj.png 824w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_inj-300x254.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/wellsfargo_inj-600x508.png 600w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/p>\n<p>More cases, and their comparison with a normal site behavior before the infection, demonstrated on the video:<\/p>\n<p><iframe  src='https:\/\/www.youtube.com\/embed\/HrKL8Hdx6Ks?version=3&#038;rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<p>The form is customized to fit the theme of each page. However, its content is the same for each target. Overall, the attack is not very sophisticated and it will probably look suspicious to the more advanced users. It&#8217;s based purely on social engineering &#8211; trying to convince a user to input all personal data that are necessary for banking operations:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19451\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/nagging_form.png\" alt=\"\" width=\"583\" height=\"526\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/nagging_form.png 583w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/nagging_form-300x271.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/p>\n<h3>Downloader<\/h3>\n<p>Apart from infecting browsers and stealing the data, Kronos also has a downloader feature. During our tests, it downloaded a new executable and saved it in the <code>%TEMP%<\/code>. Payloads are stored in the additional directory with the same name as the main installation directory:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19455\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_and_payload-1.png\" alt=\"\" width=\"635\" height=\"329\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_and_payload-1.png 635w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_and_payload-1-300x155.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/kronos_and_payload-1-600x311.png 600w\" sizes=\"auto, (max-width: 635px) 100vw, 635px\" \/><\/p>\n<p>Downloaded payload:<\/p>\n<p><a href=\"https:\/\/virustotal.com\/#\/file\/e675aac1fbb288eb16c1646a288eb8fe3e2c842f03db772f924b0d7c6b122f15\/\" target=\"_blank\" rel=\"noopener\">6f7f79dd2a2bf58ba08d03c64ead5ced <\/a> &#8211; nCBngA.exe<\/p>\n<p>The payload is downloaded from Kronos CnC:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19456\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/downloading.png\" alt=\"\" width=\"552\" height=\"104\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/downloading.png 552w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/downloading-300x57.png 300w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\" \/><\/p>\n<p>&#8230;in unencrypted form:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19457\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/donwloading_pe.png\" alt=\"\" width=\"593\" height=\"368\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/donwloading_pe.png 593w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/donwloading_pe-300x186.png 300w\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" \/><\/p>\n<p>In the analyzed case, downloaded payload was just an update of the Kronos bot. However, the same feature may also be used for fetching and deploying other malware families.<\/p>\n<h3>Command and Controll (CnC) server<\/h3>\n<p>In the analyzed case, Kronos used <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fast_flux\" target=\"_blank\" rel=\"noopener\">Fast-Flux technique<\/a> for it&#8217;s CnC. The domain was resolved to a different IP each time. For example, the domain <code>hjbkjbhkjhbkjhl.info<\/code> was resolved to an IP address randomly picked from the pool given below:<\/p>\n<pre>46.175.146.50  46.172.209.210  47.188.161.114  74.109.250.65  77.122.51.88  77.122.51.88  89.25.31.94  89.185.15.235  91.196.93.112  176.32.5.207  188.25.234.208  109.121.227.191  <\/pre>\n<p>Watching the communication with the CnC, we observed queries to the site <code>connect.php<\/code>, with an optional parameter <code>a<\/code>:<\/p>\n<pre>connect.php - initial beacon  connect.php?a=0 - sending data to the CnC  connect.php?a=1 - downloading the configuration form the Cnc  <\/pre>\n<h3>CnC panel<\/h3>\n<p>Thanks to the code of the CnC panel that leaked online, we can have more insights on all the functionalities and their implementation. Like most of the malware panels, the Kronos panel is written in PHP and uses MySQL database. Overview of the files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19467\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/panel_files.png\" alt=\"\" width=\"569\" height=\"476\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/panel_files.png 569w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/panel_files-300x251.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/p>\n<p>It turns out, that in total the bot has three commands:<\/p>\n<ul>\n<li><code>a=0<\/code> &#8211; sends the grabbed page content<\/li>\n<li><code>a=1<\/code> &#8211; fetch the configuration file<\/li>\n<li><code>a=2<\/code> &#8211; send the logged windows<\/li>\n<\/ul>\n<p>Below we can see the relevant fragments of the panel&#8217;s code (implemented inside <code>connect.php<\/code>), responsible for parsing and storing the data uploaded by the respective commands.<\/p>\n<p>Command #0 (<code>a=0<\/code>):<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19462\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/cmd0_log_data.png\" alt=\"\" width=\"892\" height=\"345\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/cmd0_log_data.png 892w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/cmd0_log_data-300x116.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/cmd0_log_data-600x232.png 600w\" sizes=\"auto, (max-width: 892px) 100vw, 892px\" \/><\/p>\n<p>Command #2 (<code>a=2<\/code>):<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19463\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/log_processes.png\" alt=\"\" width=\"898\" height=\"386\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/log_processes.png 898w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/log_processes-300x129.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/log_processes-600x258.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/log_processes-195x85.png 195w\" sizes=\"auto, (max-width: 898px) 100vw, 898px\" \/><\/p>\n<p>The configuration that is sent to the bot is prepared by the following code:<\/p>\n<p>Command #1 (<code>a=1<\/code>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19468\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_a1_config.png\" alt=\"\" width=\"594\" height=\"187\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_a1_config.png 594w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_a1_config-300x94.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/p>\n<p>We can also see very clearly how the config is encrypted &#8211; using AES in CBC mode, where the key is first 16 bytes of md5 of the BotId (it confirms <a href=\"https:\/\/www.lexsi.com\/securityhub\/kronos-decrypting-the-configuration-file-and-injects\/?lang=en\" target=\"_blank\" rel=\"noopener\">what researchers form Lexsi lab found by reverse engineering<\/a>).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19458\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encrypting_config.png\" alt=\"\" width=\"918\" height=\"168\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encrypting_config.png 918w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encrypting_config-300x55.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encrypting_config-600x110.png 600w\" sizes=\"auto, (max-width: 918px) 100vw, 918px\" \/><\/p>\n<p>However, AES is not the only cryptographic algorithm that is utilized by Kronos. Other commands use BlowFish in ECB mode:<\/p>\n<p>Command #0 (<code>a=0<\/code>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19459\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_0.png\" alt=\"\" width=\"838\" height=\"136\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_0.png 838w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_0-300x49.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command_0-600x97.png 600w\" sizes=\"auto, (max-width: 838px) 100vw, 838px\" \/><\/p>\n<p>Command #2 (<code>a=2<\/code>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19460\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command2.png\" alt=\"\" width=\"835\" height=\"166\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command2.png 835w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command2-300x60.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/command2-600x119.png 600w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><\/p>\n<p>In all cases, there is a variable called <code>UniqueId<\/code> that is used as a key. The <code>UniqueId<\/code> is nothing more but the <code>BotId<\/code>, that is sent in every POST request in XOR encoded form.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19461\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/calc_unique_id.png\" alt=\"\" width=\"494\" height=\"295\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/calc_unique_id.png 494w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/calc_unique_id-300x179.png 300w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/p>\n<p>You can find the corresponding Python scripts for decoding the appropriate requests and responses here:<\/p>\n<p><a href=\"https:\/\/github.com\/hasherezade\/malware_analysis\/tree\/master\/kronos\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/hasherezade\/malware_analysis\/tree\/master\/kronos<\/a><\/p>\n<p>Kronos comes also with option of adding some plugins, extending the core functionality:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19464\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugins.png\" alt=\"\" width=\"596\" height=\"93\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugins.png 596w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugins-300x47.png 300w\" sizes=\"auto, (max-width: 596px) 100vw, 596px\" \/><\/p>\n<p>As we may conclude, the plugins are capable of extending Kronos with some espionage capabilities, such as VNC (for viewing the desktop) and logging typed keystrokes.<\/p>\n<h3>Decrypting the communication<\/h3>\n<p>With the help of prepared scripts (available <a href=\"https:\/\/github.com\/hasherezade\/malware_analysis\/tree\/master\/kronos\" target=\"_blank\" rel=\"noopener\">here<\/a>), we can decrypt the important elements of the communication between the Kronos bot and the CnC server. Let&#8217;s assume that we have a PCAP file with a captured traffic.<\/p>\n<h4>The BotId<\/h4>\n<p>We need to start from getting the Kronos <code>BotId<\/code>, because as we know it will be used to derive the encryption keys. We will find it in the requests sent by the bot to its CnC (74 bytes long):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19475\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/traffic_fragment.png\" alt=\"\" width=\"525\" height=\"88\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/traffic_fragment.png 525w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/traffic_fragment-300x50.png 300w\" sizes=\"auto, (max-width: 525px) 100vw, 525px\" \/><\/p>\n<p>After dumping the request, we can use the following script to decode it:<\/p>\n<pre>.\/kronos_beacon_decoder.py --infile dump1.bin  <\/pre>\n<p>As the output we will get the decoded beacon, consisting of:<\/p>\n<ol>\n<li>Hash of the configuration file (if no configuration file was present at the moment, this part will be filled with &#8220;X&#8221; characters)<\/li>\n<li>The BotId<\/li>\n<\/ol>\n<p>Example:<\/p>\n<pre>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<strong>{117BB161-6479-4624-858B-4D2CE81593A2}<\/strong>  <\/pre>\n<p>So, in the demonstrated case the BotId is <code>{117BB161-6479-4624-858B-4D2CE81593A2}<\/code>.<\/p>\n<h4>The configuration<\/h4>\n<p>Having the BotId, we can move to decrypt the configuration. It arrives in the response to the <code>a=1<\/code> request:<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19476\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/a1_resp.png\" alt=\"\" width=\"519\" height=\"47\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/a1_resp.png 519w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/a1_resp-300x27.png 300w\" sizes=\"auto, (max-width: 519px) 100vw, 519px\" \/><\/p>\n<p>Example of the request followed by the encrypted response from the CnC:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19479\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_and_resp.png\" alt=\"\" width=\"726\" height=\"555\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_and_resp.png 726w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_and_resp-300x229.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/beacon_and_resp-600x459.png 600w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/p>\n<p>After dumping the response, we can use another script to decode it, giving the BotId as a parameter:<\/p>\n<pre>.\/kronos_a1_decoder.py --datafile dump2.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}  <\/pre>\n<p>As a result, we will get the configuration file. Example of the decoded config:<br \/> <a href=\"https:\/\/gist.github.com\/malwarezone\/a7fc13d4142da0c6a67b5e575156c720#file-config-txt\" target=\"_blank\" rel=\"noopener\">https:\/\/gist.github.com\/malwarezone\/a7fc13d4142da0c6a67b5e575156c720#file-config-txt<\/a><\/p>\n<h4>The sent reports<\/h4>\n<p>Sometimes we can find the Kronos bot reporting to the CnC in requests a=0 or a=2:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19477\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_a0.png\" alt=\"\" width=\"527\" height=\"43\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_a0.png 527w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_a0-300x24.png 300w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/p>\n<p>Example of the encrypted request:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19478\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_report.png\" alt=\"\" width=\"743\" height=\"265\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_report.png 743w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_report-300x107.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sent_report-600x214.png 600w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/p>\n<p>Finding out what was exactly the data stolen by Kronos is not difficult if we dump the data and use the dedicated script:<\/p>\n<pre>.\/kronos_a02_decoder.py --datafile dump3.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}  <\/pre>\n<p>Example of the decoded report:<br \/> <a href=\"https:\/\/gist.github.com\/malwarezone\/a03fa49de475dfbdb7c499ff2bbb3314#file-a0_req-txt\" target=\"_blank\" rel=\"noopener\">https:\/\/gist.github.com\/malwarezone\/a03fa49de475dfbdb7c499ff2bbb3314#file-a0_req-txt<\/a><\/p>\n<h3>Conclusion<\/h3>\n<p>In terms of code quality, Kronos is written in a decent way, however it&#8217;s features are nothing novel. Although the <a href=\"https:\/\/blog.sensecy.com\/2014\/07\/15\/two-new-banking-trojans-offered-for-sale-on-the-russian-underground\/\" target=\"_blank\" rel=\"noopener\">bot got good reviews on underground forums<\/a>, in terms of popularity it was always legging behind. Probably it&#8217;s relatively high price was the important factor deciding why it lost with the competitors.<\/p>\n<h3>Appendix<\/h3>\n<p>See also:<\/p>\n<blockquote data-secret=\"VJn8IUF8vW\" class=\"wp-embedded-content\">\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/\">Inside the Kronos malware &#8211; part 1<\/a><\/p>\n<\/blockquote>\n<p><iframe loading=\"lazy\"  src=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware\/embed\/#?secret=VJn8IUF8vW\" width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<hr \/>\n<p><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. <\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community. <\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\" rel=\"noopener noreferrer\">hasherezade<\/a> and her personal blog: <span class=\"s3\"><a href=\"https:\/\/hshrzd.wordpress.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/hshrzd.wordpress.com<\/a>.<\/span><\/span><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware-p2\/\">Inside the Kronos malware &#8211; part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware-p2\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 29 Aug 2017 15:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware-p2\/' title='Inside the Kronos malware - part 2'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/shutterstock_293166725.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In part two of our Kronos malware analysis, we look at the malicious actions Kronos can perform.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/malware\/\" rel=\"category tag\">Malware<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/banking-trojan\/\" rel=\"tag\">banking Trojan<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/citibank\/\" rel=\"tag\">Citibank<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/facebook\/\" rel=\"tag\">facebook<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/kronos\/\" rel=\"tag\">kronos<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/kronos-malware\/\" rel=\"tag\">Kronos malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/wells-fargo\/\" rel=\"tag\">Wells Fargo<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/zeus-malware\/\" rel=\"tag\">Zeus malware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware-p2\/' title='Inside the Kronos malware - part 2'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware-p2\/\">Inside the Kronos malware &#8211; part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11990,14219,4503,3589,13840,13907,3764,10833,14220,11103],"class_list":["post-8977","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-banking-trojan","tag-citibank","tag-cybercrime","tag-facebook","tag-kronos","tag-kronos-malware","tag-malware","tag-trojan","tag-wells-fargo","tag-zeus-malware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8977"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8977\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8977"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}