RSA security researcher Limor Kessem noted that a new kit dubbed KINS has been put up for sale in the shadowy underground crime forums of Russia, sharing few features with other trojans, including Zeus, Citadel and SpyEye. She said that although KINS’ author immediately and swiftly denied all ties to other trojans, KINS architecture is built like Zeus/SpyEye, with a main file and DLL-based plugins; is compatible with Zeus web injections, like SpyEye; comes with the Anti-Rapport plugin which was featured in SpyEye; will work with RDP (like SpyEye); and comes with outstanding technical support and a user-friendly interface, like Zeus and Citadel.
In terms of victims, the author is taking care of his own: the bug has been engineered to avoid infecting Russian-language PCs (a feature that was first introduced by Citadel in January 2012). For everyone else, though, there could be a quickly spreading infection at hand. Kessem said that it’s being spread via popular exploit packs such as Neutrino, and it will take hold of the infected computer from a much deeper level than the average Trojan, using the Volume Boot Record (VBR). Also, KINS will easily infect machines running Win8 and x64 operating systems.
She added that KINS has been awaited with bated breath by the hacking underground, and is being embraced with gusto. Since December 2012, when the spokesperson of the Citadel team took the trojan off the semi-open underground market, cybercriminals have been scrambling to find a replacement.
“The moment Citadel was off the market, the deep-web enclaves, where fraudsters congregate, became awash with fraud-as-a-service deals for Trojan binaries and hosting packages,” she said in a blog. “During the dry months that had suddenly befallen the lower ranking cyber criminals, a few shady malware developers attempted to make a few bucks by trying to appease them with basic malware and converted HTTP botnets (Trojans that carry out lists of tasks, equipped with a form-grabber), but even the pseudo return of the Carberp Trojan left the underground hungry for more.”
Meanwhile, the ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, she added, “and it seems that professional cybercrime malware developers are just not what they used to be.”
Five months after RSA picked up an initial mention of a banking trojan dubbed KINS in the underground, it has appeared in commercialized form. “As the story unfolds, it is not surprising that KINS’ developer is being ushered into the Russian-speaking cybercrime community with much enthusiasm, commended for his decision to make KINS commercial and share it the old-fashioned way,” Kessem said. “Beyond being advertised on the most exclusive venues where all other major Trojans were introduced in the past, KINS appears already to be a familiar name in the underground, its developer is responsive and further offers technical support to new customers, which has become a strong selling point for any malware vendor.” And a warning flag for anti-fraud teams around the globe.