Security experts claim to have discovered a new piece of banking malware being advertised on the Russian cyber underground as 'Kronos', carrying a sizeable price tag of $7,000.
The Trojan’s description on a “major Russian underground forum” reveals several features designed to evade detection by commonly used security tools such as anti-virus and sandboxing, according to IBM Security senior fraud prevention strategist, Etay Maor.
Also listed are form-grabbing, HTML injection and other common credential-stealing techniques – all compatible with IE, Firefox and Chrome, he said in a blog post.
Maor noted that 'Kronos' in Greek mythology is the name of Zeus’ father, hinting at a possible link between the newly discovered malware and the infamous baking Trojan.
“In addition, the HTML injection mechanism is compatible with Zeus,” he added.
“Because Zeus is the most widely deployed malware, and it is likely that potential clients have used or still use Zeus variants, the authors of Kronos made sure that the HTML injection files used by Zeus operators can be easily implemented with Kronos.”
Other features described in the forum advert are “malware-to-C&C communication encryption” and a 32 or 64-bit ring3 rootkit designed to fend off other Trojans it might encounter.
Maor also pointed out the unusually high price tag associated with this malware - $7,000, as opposed to most similar malware which is sold for just a few hundred dollars or can be used for free thanks to source code leaks.
He added that the seller is offering a one-week testing server for $1,000 and that updates and bug fixes will be offered free of charge, although extra modules will be priced separately when released.
Security experts were cautious about the findings, given that the seller’s claims have not been validated by an analysis of the malware as yet.
“It looks like it may be a spinoff from the Carperb banking Trojan, for which the source was leaked to public domain a year ago, but this has not been confirmed yet,” F-Secure director of security response, Antti Tikkanen, told Infosecurity.
“It remains to be seen if Kronos gets buyers from the underground market, and if the features are as advertised.”