Kronos, the banking trojan that led to the indictment of popular malware researcher Marcus Hutchins in the U.S., was actively used by cyber criminals between July 2014 and July 2015.
Kronos disguised itself as a legitimate software to infiltrate web browsers and steal banking passwords and other financial information.
On Thursday afternoon, British malware researcher Marcus Hutchins was picked up by the FBI at Las Vegas airport while on his way back to London after attending a couple of cyber security conferences in the city.
Hutchins, along with a suspected accomplice, was indicted for his role in creating and selling Kronos, a banking trojan that was used by criminals to steal banking passwords and other financial information.
The FBI believes that Kronos was actively traded for $7,000 per sample in Dark Net marketplaces like AlphaBay and Hansa darkweb as well as in Russian underground forums which were frequented by criminals looking for viruses, trojans, and malware.
Kronos was also offered in Dark Net marketplaces on $1,000 one week trials and came with free upgrades and bug fixes that ensured its longevity and effectiveness. It is believed that it was developed and maintained by a powerful hacker group who possessed the latest exploits that could bypass malware detection settings in popular browsers like Google Chrome, Firefox and Internet Explorer.
In Dark Net marketplaces, Kronos was among the most popular malware on sale that included CryptoLocker ransomware that helped hackers earn $27 million in December of 2013 alone, Philadelphia Ransomware, CTBlocker, Stampado and Blackmail Bitcoin Ransomware.
In July, the the United States’ FBI and the Drug Enforcement Agency announced that following a months-long operation, they had succeeded in taking down AlphaBay and Hansa darkweb and had arrested a number of cyber criminals who used to run Dark Net marketplace servers.
Even though it was very popular among criminals between July 2014 and July 2015, Kronos continued to remain in use until late last year. Aside from stealing banking information, it was also used to infect retailers, steal credit card details and infect point-of-sale systems.
According to security firm Proofpoint, Kronos was also used by criminals in phishing emails sent to educational, healthcare and hospitality institutions.
‘We observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload,’ the firm said in a blog post.
‘The campaigns distributing ScanPOS are heavily targeted at the hospitality vertical in North America and the UK, among other countries that observe the Christmas and/or Thanksgiving holidays,’ it added.
Aside from disguising itself as a legitimate software to evade malware detection mechanisms in web browsers, Kronos also contained a “user-mode rootkit” which was compatible with 32-bit and 64-bit Windows-based computers and allowed hackers to evade antivirus software.