Advisory Type |
Malware Intelligence |
Malware Name |
Osiris, Kronos |
Malware Type |
Banking Trojan |
Target System |
Windows |
Affected Industry |
BFSI, Business Services, Technology, Retail, Healthcare, Higher Education, Manufacturing, |
Affected Regions |
Germany, US, Korea, Japan, Poland |
Osiris, a banking trojan, is the latest known variant of the Kronos malware. Discovered in June 2014, the Kronos malware did the rounds on a Russian dark web forum, only to stay dormant for the next couple of years. In July 2018, Kronos resurfaced dubbed as Osiris, in attack campaigns targeting Germany, Japan, and Poland. In 2020 as well another threat actor was found selling the licence to Osiris. The most recent campaign that involved Osiris, targeted customers of the German manufacturing industry. This campaign redirected its victims to questionable websites that triggered the multi-stage delivery of the Osiris trojan.
This malware was designed to steal banking credentials of infected victims. Its propagation has varied since its first appearance. Now Osiris is delivered via:
The main feature of Osiris trojan is its encrypted Tor-based communication with the Command and Control server (C2), which allows it to prevent detection. The latest version of the malware had new, additional features such as:
Tactics |
Techniques |
|
Initial Access |
T1189 | Drive-by Compromise |
T1566.001 | Spear Phishing Attachment | |
Privilege Escalation |
T1055.001 | Dynamic-link Library Injection |
T1055.012 | Process Hollowing | |
Defense Evasion |
T1112 | Modify Registry |
T1497 | Virtualization/Sandbox Evasion | |
Discovery |
T1497 | Virtualization/Sandbox Evasion |
Collection |
T1056.001 | Keylogging |
T1185 | Man in the Browser | |
Command and Control |
T1573 | Encrypted Channel |
T1090.003 | Multi-hop Proxy |
FileHash |
af6cc661c03857f4cbf6c325ebe27743 |
e1afd2e8f7dd3ce55d8794f1e7e396fe | |
b4cd27f2b37665f51eb9fe685ec1d373 | |
2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f | |
63c62d6086a6cf2fcbb22a16c06eb0bc870cdb2f0bb029390d3bc815c06a6c6b | |
72c5eeb8807a4576340485377cacc582a3ca651c4632db06903c125be6692968 | |
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 | |
ec936b6bb7497ffb11577c14a9ab2860ec1dd705dc18225bbdab5bf57804bdbc | |
Domain |
ylnfkeznzg7o4xjf[.]onion |
URL |
hxxp://ylnfkeznzg7o4xjf.onion/kpanel/connect[.]php |