Osiris Banking Trojan Threat Intelligence Advisory

CloudSEK threat intelligence advisory on Osiris banking trojan, the latest variant of Kronos malware, targets banking credentials of victims.

Updated on

April 19, 2023

Published on

February 16, 2021

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Advisory Type	Malware Intelligence
Malware Name	Osiris, Kronos
Malware Type	Banking Trojan
Target System	Windows
Affected Industry	BFSI, Business Services, Technology, Retail, Healthcare, Higher Education, Manufacturing,
Affected Regions	Germany, US, Korea, Japan, Poland

Executive Summary

Osiris, a banking trojan, is the latest known variant of the Kronos malware. Discovered in June 2014, the Kronos malware did the rounds on a Russian dark web forum, only to stay dormant for the next couple of years. In July 2018, Kronos resurfaced dubbed as Osiris, in attack campaigns targeting Germany, Japan, and Poland. In 2020 as well another threat actor was found selling the licence to Osiris. The most recent campaign that involved Osiris, targeted customers of the German manufacturing industry. This campaign redirected its victims to questionable websites that triggered the multi-stage delivery of the Osiris trojan. [caption id="attachment_9518" align="alignnone" width="1024"]

Threat actor sells Osiris on a Russian forum in 2018[/caption] [caption id="attachment_9519" align="alignnone" width="1024"]

Threat actor sells Osiris license in 2020[/caption]

Technical Analysis

This malware was designed to steal banking credentials of infected victims. Its propagation has varied since its first appearance. Now Osiris is delivered via:

Spear-phishing email campaigns, where the malicious documents contain macros responsible for downloading the Osiris trojan.
Compromised website that hosts malicious fileless malware, responsible for downloading the trojan.

The main feature of Osiris trojan is its encrypted Tor-based communication with the Command and Control server (C2), which allows it to prevent detection. The latest version of the malware had new, additional features such as:

Support Windows versions Vista / 7 / 8 / 8.1 / 10
Tor Connection
Formgrabber POST and GET requests (it will grab everything) fully supported on Internet Explorer, FireFox, Chrome, Opera and Edge all latest versions.
WebInjections Support (Zeus style webinjects with automatic Update of injections, supported on Internet Explorer, FireFox, Chrome and Edge all latest versions).
Keylogger
CC grabber
Log Parser
Download & Execute
Bot Update
Browser Password Recovery works on Firefox and Chrome
SMTP Outlook 2007,2010,2013,2016 Password Recovery
AntVMware, AntiSandbox, AntiDebug Support
Normal VNC
Socks5 Support
Hidden VNC (HVNC)
Hidden Teamviewer + File Manager of Teamviewer fully Supported

Impact

Technical Impact

Disrupting operating system processes, as the Osiris trojan is injected into one of the running processes on the infected machine.
Data leak
Anonymous connection with the Command and Control server of the attacker

Business Impact

Privacy violation
Financial data leak and loss
Brand and reputation loss

Mitigation

Use up-to-date browsers and plugins, and keep updated with latest patches.
Apply web-based component restrictions such blocking automatic attachment download, blocking javascript, and restricting browser extensions.
Use Antivirus/ Antimalware softwares on the system.
Use Network Intrusion Prevention tools with latest signatures.
Spread awareness through regular training programs focused on phishing attacks.

Tactics, Techniques and Procedures

Tactics	Techniques
Initial Access	T1189	Drive-by Compromise
Initial Access	T1566.001	Spear Phishing Attachment
Privilege Escalation	T1055.001	Dynamic-link Library Injection
Privilege Escalation	T1055.012	Process Hollowing
Defense Evasion	T1112	Modify Registry
Defense Evasion	T1497	Virtualization/Sandbox Evasion
Discovery	T1497	Virtualization/Sandbox Evasion
Collection	T1056.001	Keylogging
Collection	T1185	Man in the Browser
Command and Control	T1573	Encrypted Channel
Command and Control	T1090.003	Multi-hop Proxy

Indicators of Compromise

FileHash	af6cc661c03857f4cbf6c325ebe27743
	e1afd2e8f7dd3ce55d8794f1e7e396fe
	b4cd27f2b37665f51eb9fe685ec1d373
	2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f
	63c62d6086a6cf2fcbb22a16c06eb0bc870cdb2f0bb029390d3bc815c06a6c6b
	72c5eeb8807a4576340485377cacc582a3ca651c4632db06903c125be6692968
	91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
	ec936b6bb7497ffb11577c14a9ab2860ec1dd705dc18225bbdab5bf57804bdbc
Domain	ylnfkeznzg7o4xjf[.]onion
URL	hxxp://ylnfkeznzg7o4xjf.onion/kpanel/connect[.]php

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations