Kronos is a banking trojan that first emerged in 2014 and marketed in underground forums as a crimeware kit to conduct credit card, identity theft, and wire fraud. In September 2018, a new Kronos variant named Osiris introduced several new features including TOR for command and control (C2) communications. The last update to Osiris appears to have been around mid-2019. In February 2021, Zscaler ThreatLabz identified a new Kronos variant that surfaced via spam campaigns to German speakers, which calls itself Ares. In Greek mythology, Ares is the son of Zeus and grandson of Kronos. Thus, the naming convention appears to refer to this new malware variant as the third generation of Kronos. Ares still appears to be in development alongside an information stealer that harvests credentials from various applications including VPN clients, web browsers, and the malware can exfiltrate arbitrary files and cryptocurrency wallets.
The threat actor behind this new variant continues to use both Osiris and Ares in parallel. In this blog post, we will examine these new malware developments and campaigns.
DarkCrypter
Recent samples of Osiris and Ares have been protected by a malware packer written in C++ that calls itself DarkCrypter. The packer contains the PDB path d:\scm\Italy\dopplegang\DarkCrypter\Bin\Clean.pdb. The code is not related to the commercial packer, DarkCrypter, that has been cracked and leaked online. Interestingly, the packer shares code with Kronos and Osiris including the string encryption algorithm. When the string table is decrypted, the first 41 entries are identical to older Kronos variants with eight new string additions (shown below) to detect sandbox environments:
atcuf32.dll
umengx86.dll
sandboxie.dll
libctc_sandbox.dll
atcuf64.dll
antimalware_provider32.dll
antimalware_provider64.dll
libctc_onexecute.dll
If the anti-analysis checks pass, the packer proceeds to the next step. There are at least two variants of the packer.
The first variant decrypts the next-stage payload using Blowfish. However, the decryption process uses a non-standard Blowfish key size. Typically, Blowfish key sizes are between 4 bytes and 56 bytes. However, the Blowfish decryption implementation in DarkCrypter supports a hardcoded key size that is 288 bytes (although only the first 72 bytes are effectively used). This may be designed to break cryptographic libraries that implement Blowfish and follow the standard, where the maximum key size is limited to 56 bytes. The Blowfish key is located by computing a djb2 hash of each section name in the PE header. The code compares the resulting hash value with two hardcoded values that map to the section names .text (0xb80c0d8) and .sjdata (0xecae6faa).
The second variant of the DarkCrypter packer embeds the second-stage payload in a compressed format rather than an encrypted Blowfish format. The compression algorithm is identical to that found in Ares, and components related to Ares, including a packer that impersonates a bitmap image header.
Modified UPX Packer
The threat actor has also experimented with modifying UPX headers, which has well known section names. The modifications that have been made by the threat actor replace the UPX section names (UPX0, UPX1, ...) with standard section names like .text, .data, and .rdata. This breaks compatibility with the command-line UPX decompression tool, although the file can still be decompressed and executed. An example of the file header modifications are shown below in Figure 1 on the left, with the alterations highlighted in red.
Figure 1. Modified and Restored UPX Headers
These changes can easily be restored to the original UPX section names as shown on the right in Figure 1. The UPX command-line utility can then be used to statically unpack this binary, producing the final executable payload.
BMPack
The threat actor has also been using another packer that Zscaler ThreatLabZ has dubbed BMPack. This packer has been utilized to pack both Osiris and Ares payloads. BMPack first decrypts embedded data using an XOR-based algorithm, followed by RC4. After the decryption stage, the file appears to be a bitmap image as shown in Figure 2.
Figure 2. Fake Bitmap Image Used to Unpack Osiris and Ares Malware Payloads
However, a closer inspection reveals that the data is not actually a bitmap image, but has a specific sequence of data structures. By reverse engineering the packer, the format of the data structures can be determined, which consist of three DWORD values that represent the compressed size (red), uncompressed size (green), next offset (blue), followed by the compressed data (orange). An example of the first data structure is shown below in Figure 3.
Figure 3. Format of BMPack Data Structures
Each decompressed structure holds a different section of a PE file that is reconstructed and stitched together by a custom loader, and executed.
Ares Malware
Ares is being actively developed and the malware author continues to create and test new plugins and web injects. In the most recent Ares samples, there is an embedded DLL module that is compressed within the binary. The module contains an export that is designed to establish persistence. The code first copies itself to the location %APPDATA%\Adobe\AdobeNotificationUpdates.exe. It then creates a scheduled task named AdobeNotificationUpdates that is designed to execute Ares every two hours (with an expiration date of 2050-05-02 12:05:00). Similar persistence code is also found in many DarkCrypter samples.
The Ares persistence module has the same compilation prefix as other modules in its PDB path D:\scm\Italy\ares\source_ob\Release\startup.pdb. Ares attempts to locate an export name with the hash value F4S4G3S4U7C6P2P7, which maps to the string ?Startup@@YAHPA_W@Z. Once the address of this function is located, Ares executes the module.
Ares uses the same function hashing algorithm as Kronos, which consists of calculating a CRC64 hash, converting the digest to uppercase hexadecimal characters. The result is then mapped to an alphanumeric value as shown in the Python code below:
digest = hexdigest(crc64(function_name)).upper()
out = ""
for i in range(len(digest)):
if i & 1 != 0:
val = ord(digest[i]) % 9 + ord('0')
else:
val = ord(digest[i]) % 25 + ord('A')
out += chr(val)
return out
Ares contains most of the same code as its predecessors: Kronos and Osiris. However, there are several notable differences between Osiris and Ares, especially with respect to the C2 communications. Most Ares samples currently do not communicate with C2 servers over TOR. It is not quite clear, why most Ares samples have the TOR component removed, but it may be to reduce the malware's file size and evade corporate firewalls that block TOR network traffic. However, without TOR, the C2 servers are more vulnerable to takedown attempts. Some Ares samples attempt to address this limitation by hardcoding a large number of C2 URLs in the binary. Zscaler ThreatLabz has observed one Ares sample with 101 hardcoded C2 URLs.
Ares has also slightly modified the bot ID generation code, replacing the string Kronos with the string Ares as shown in Figure 4.
Figure 4. Comparison Between Kronos and Ares Bot ID Generation
Ares uses the HTTP query string parameters shown in Table 1. The HTTP request that sends the report.zip file is unique to Ares and discussed in more detail below.
Query String
Description
a=0
Send log data
a=1
Download web injects
a=2
Send keylogger data
a=3
Send report.zip file created by Ares Stealer
a=4
Request new commands
Table 1. Ares Query String Parameters
Ares Commands
Ares supports many of the same commands as Kronos and Osiris. However, some of the commands have been modified and the malware uninstall command (0x1) was removed. There are four modified commands that are supported by Ares as shown below in Table 2.
Command Number
Description
0x3
Set registry value name MSE to 0
0x4
Set registry value name MSE to 1
0x6
Download, decompress, map Ares Stealer into memory, and execute
0xC
Download, decompress, map module into memory, and execute
Table 2. New Commands Introduced By Ares
The commands 0x3 and 0x4 attempt to set a registry value name MSE to zero and one, respectively, under the registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion. However, this registry key does not exist and both functions will fail. This is likely an oversight by the malware author who accidentally left out Windows in this registry path between Microsoft and CurrentVersion. The registry value is not referenced elsewhere in Ares, so it may hint at a future use.
One of the most significant modifications is the command 0x6 that downloads, decompresses, and maps a PE file into memory, and executes it. Command 0x6 specifically searches for an export name with the hash value C3E0Q6R7F1H2G5A4, which maps to the string CollectInfo. The code passes two string parameters to the CollectInfo export. The first string is a pattern provided by the C2 server and the second is hardcoded to the string %APPDATA%\Google\report.zip. Zscaler ThreatLabZ has observed this Ares command being used to download a file from the URL http://mydynamite.dynv6[.]net/panel/upload/stealer.dll. The first four bytes of the response are the uncompressed file size. The file is decompressed using the same compression algorithm as BMPack.
Ares has code artifacts from the development of command 0x6. Samples contain an unreferenced function that attempts to open a file located at d:\scm\Italy\ares\source_ob\Binaries\Release\KittyDll.dll.cmp. The file is decompressed and mapped into memory using the same process as command 0x6. After the file is mapped, the export CollectInfo is called with the parameters: %userprofile%Documents|*.txt|5 and NULL. The purpose of these fields will be described in the next section. Note that there is a missing backslash character between %userprofile% and Documents. This string serves as a directory path, and without the backslash the path is invalid.
Zscaler ThreatLabZ has also identified Ares samples that contain another unreferenced function that loads a VNC plugin by attempting to open a file located at d:\scm\Italy\ares\\source_ob\Binaries\Release\vnc.dll.cmp. Similar to the stealer plugin, the file is decompressed, mapped into memory, and the export MakeItStart is called. The MakeItStart export name is resolved similar to the other Ares functions using the same CRC64-based hash algorithm and comparing the result with F0U5R4R6Q8H1P3E5. Ares then will terminate the VNC plugin by mapping the export name MakeItStop using the same process and comparing the result with the hash value C6P3T6Q8H1P3E5A8.
The command 0xC is the most recent modification to Ares and only found in newer samples.
Ares Stealer
Ares Stealer is downloaded by Ares and invoked via the export name CollectInfo. The malware is written in C++ and uses the Boost and Curl libraries. Ares Stealer has compilation artifacts showing that the Boost library was compiled in the directory d:\scm\Italy\tools\boost_1_74_0\boost. This directory prefix is identical to the DarkCrypter’s PDB path and the location where the Ares unreferenced test functions attempt to load plugins from. This artifact along with the shared compression code suggests that the malware author likely has developed DarkCrypter, BMPack, Ares, and Ares Stealer.
The Ares Stealer export CollectInfo takes two parameters: a pipe-delimited string and a filename string. The pipe-delimited string takes three arguments, which are used by the stealer’s file grabber feature. The first parameter is the directory in which to start the file enumeration process, the second parameter is a search pattern, and the last parameter is the directory search depth. The filename string is used to store the results of the extraction, which are added to a zip file.
An example command string observed from an Ares C2 server is %userprofile%|pass*.txt|5. This command will search a victim’s user profile directory up to five levels deep for text files that have the prefix pass.
Ares Stealer collects detailed system information and harvests credentials for numerous applications including FTP clients, VPN clients, web browsers, instant messengers, and email clients. It can also steal files, cryptocurrency wallets, cookies, and credit cards.
The stealer will attempt to extract information from the following applications:
FTP clients
Filezilla
VPN clients
NordVPN
OpenVPN
ProtonVPN
Web browsers
Mozilla Firefox
Google Chrome
Microsoft Edge
Microsoft Internet Explorer
Chromium
Cyberfox
BlackHawk
Comodo IceDragon
CometBird
SeaMonkey
Pale Moon
Waterfox
Mail.ru Atom
Chromodo
Uran
CocCoc
Nichrome
Sputnik
K-Meleon
Maxthon 3
360 Browser
Amigo
Comodo Dragon
Orbitum
QIP Surf
Liebao
Coowon
Catalina Group Citrio
Fenrir Sleipnir
Elements
Kometa
Chedot
CentBrowser
7 Star
Iridium
MapleStudio ChromePlus
Torch
Yandex Browser
Epic Privacy Browser
Opera
Brave Browser
Vivaldi
Blisk
Cryptocurrency wallet applications
Coinomi
Guarda
Atomic Wallet
Electrum
Ethereum
Exodus
Bytecoin
Armory
Zcash
Bitcoin
Litecoin
Instant messenger clients
Pidgin
Email clients
Outlook
Osiris
The Osiris version that has been used by this threat actor contains a number of new features since the original version that appeared in April 2018. These updates were introduced around mid-2019 and include the following changes:
New beacon request format that includes information about the compromised system
Zlib compression to reduce the size of requests and responses (including web injects)
Ability to deploy TeamViewer on a compromised host
Ability to steal a victim’s Outlook contacts via Nirsoft’s OutlookAddressBookView utility
Send spam emails to a victim’s contact list
New remote access capabilities
The threat actor has an Osiris C2 server that is located at http://ylnfkeznzg7o4xjf[.]onion/kpanel/connect.php, which has been instructing infected systems to steal and exfiltrate web browser and email credentials. The web browser harvesting command downloads a sqlite3 library from http://qqkzfkax24p4elax[.]onion/kpanel/upload/sqlite3.dll, which is a dependency to extract Google Chrome passwords. A second module for harvesting Firefox credentials from a 64-bit system is downloaded from http://qqkzfkax24p4elax[.]onion/kpanel/upload/ffc64.exe.
The C2 is also serving a web inject configuration file, which targets clients at German financial institutions with the URL patterns shown below:
set_url https://*commerzbank.de* GPI
set_url https://*.de/*/entry* GPI
set_url https://*.de/banking-*/portal?* GPI
set_url https://*.de/banking-*/portal;* GPI
set_url https://*.de/portal/portal* GPI
set_url https://*.de/privatkunden/* GPI
set_url https://*.de*abmelden* GPI
set_url https://*.de/de/home* GPI
set_url https://*.de/en/home* GPI
set_url https://*.de/fi/home* GPI
set_url https://*banking.sparda.de* GPI
set_url https://*banking.sparda-* GPI
set_url https://*banking.sparda.de/wps/loggedout.jsp GPI
set_url https://*meine.deutsche-bank.de/trxm/db* GPI
set_url https://*banking.berliner-bank.de/trxm* GPI
set_url https://*meine.norisbank.de/trxm/noris* GPI
set_url https://*targobank.de* GPI
When a victim browses to a website that matches one of these patterns, JavaScript code will be injected from the threat actor’s domain https://securebankingapp[.]com/.
The full list of web injects for this Osiris instance is shown here.
The threat actor has another active Osiris C2 server located at http://qqkzfkax24p4elax[.]onion/kpanel/connect.php. This C2 server is also serving commands to exfiltrate credentials, but the web inject configuration file is blank. However, the C2 server is also providing commands to extract a victim’s email contact list using Nirsoft’s OutlookAddressBookView, which is downloaded from the following locations:
http://qqkzfkax24p4elax[.]onion/kpanel/upload/oabv32.exe (32-bit)
http://qqkzfkax24p4elax[.]onion/kpanel/upload/oabv64.exe (64-bit)
Conclusion
Ares is a new fork of the Kronos banking trojan that appears to be in the early stages of development. The code contains several bugs and unreferenced code segments that are likely used for debugging purposes. The threat actor has invested significant resources in building DarkCrypter, BMPack, Ares, and Ares Stealer. Therefore, activity related to this threat is likely to increase as the malware continues to mature.
Detections
Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:
Win32.Banker.Kronos
Win32.Banker.Kronos.LZ
MITRE ATT&CK Table
Tactic
Technique
T0011
Command and Control
T1053
Scheduled Task/Job
T1078
Valid Accounts
T1087
Account Discovery
T1090
Proxy
T1185
Man in the Browser
T1219
Remote Access Software
T1497
Virtualization/Sandbox Evasion
T1552
Unsecured Credentials
T1573
Encrypted Channel
T1592
Gather Victim Host Information
Indicators of Compromise (IOCs)
The following IOCs can be used to detect Osiris and Ares infections.
Samples
SHA256 Hash
Module Name
da767e6faf97d73997f397eae71b372a549dd6331bf8ec0ebd398ef8cfe9a47e
Osiris sample
5e7642e945bd05ecea77921cb3464b6da8db59e5ff38240608e3cbb44b07fb1d
Osiris sample
7498e37c332d55c14247ae4b675e726336a8683900d8fd1da412905567d2de4a
Ares sample
e5d624b7060c0e885abe11a0973a43a355c9930fc6912ff5eac83d1a9eec9c29
Ares sample
035793d479c4229693fc6dcceaa639cd51ae89334b43e552b9c47a6dea68ce30
Ares sample with embedded Startup module
94b084ea925990742f4eaaada1eef9a42c13066bf4f4c7a3b12a1509e32ff9e6
Ares Stealer sample
09897c6ef88b9e9bc20917a2b47ec86ff2b727a2923678f5e2df6bb6437d3312
Ares VNC plugin
896cebf465257f60347e58ffd7ec61629cf530956ef9b00e94f8b40ef9b30581
DarkCrypter with second-stage BMPack and Osiris sample
956ae36f40d0d847daa00d7964906e7e9d1671d0f3f2e7d257d5a8d324388c31
DarkCrypter sample with encrypted Ares payload
6c5dac9043b2f112543f3eca6503d4bcc70d762b47d75dcb85f9767c603de56f
DarkCrypter sample with compressed Ares TOR payload
b3348405cd0fa66661b46bc6cbab97b55708be26a2ed7a745e1632b46d1b3f41
DarkCrypter sample with encrypted Ares payload
4044abad9a846e203f131c65b1f84bb2b79f94000d1d7be6c6d6a8e27ac76940
BMPack sample with Osiris payload
Network Indicators
Domain / IP Address
Description
http://ylnfkeznzg7o4xjf[.]onion/kpanel/connect.php
Osiris C2 URL
http://m3r7ifpzkdix4rf5[.]onion/kpanel/connect.php
Osiris C2 URL
http://qqkzfkax24p4elax[.]onion/kpanel/connect.php
Osiris C2 URL
https://securebankingapp[.]com
Osiris web inject domain
http://vbyrduc537l5po3w[.]onion/panel/connect.php
Ares C2 URL
http://wifoweijijfoiwjweoi[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiiqefmiir[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiilefmjim[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiieeelkif[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiiofelkkq[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiihfelikh[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiiffdkijh[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiigedliji[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiirfdmjks[.]xyz/panel/connect.php
Ares C2 URL
http://ddkiitefkkju[.]xyz/panel/connect.php
Ares C2 URL
http://mydynamite.dynv6[.]net/panel/connect.php
Ares C2 URL
http://cabletv[.]top/panel/connect.php
Ares C2 URL
Yara rules
These rules are valid on unpacked Kronos, Osiris, and Ares binaries.
rule kronos_string_decryption
{
strings:
$ = {6a 1e 5f f7 f7 8b 45 08 8d 3c 1e 8a 04 38 8a ?? ?? ?? ?? ?? 32 c2}
$ = {55 8b ec 51 8b 4d 08 c1 e1 04 8b ?? ?? ?? ?? ?? 8a}
condition:
all of them
}
rule kronos_api_strings
{
strings:
$ = "D7T1H5F0F5A4C6S3"
$ = "H2G3F4F0F5A4D5E6"
$ = "X1U5U8H8F5A4C8C5"
$ = "E3D7R6B3R4H5F3R7"
$ = "X8D3U3P7S6Q3S5R1"
$ = "X8D3T6Q6U3S3A6R1"
$ = "R6G2D2R3A5E3C4U5"
$ = "H7Y6G2R3A5F4D3S8"
$ = "P7Y3Q5P0Y8C2Y6F6"
$ = "R6Y7B3C6E7E6T7U7"
$ = "G2F3G6A6R3F1P6G2"
$ = "S3H8T8Y5F5B5B0X0"
$ = "C8G2T3U3B1H3T5B5"
$ = "C4R7A2P4X3B1H5A4"
$ = "R3Q7T7Q2R6S1Y3R5"
$ = "E3C3A2Y3C4U6S5F5"
$ = "F3P7Y6P3U3E2U5F3"
$ = "E5X0A4Q4F0Y0D6E2"
$ = "X2R0A4Q4F0Y0D6F3"
$ = "H1G7R4Y7D1E6R5F8"
$ = "G3C3R4H7R5T8E5R8"
$ = "F6H5P7T4F6D6Y6D4"
$ = "E3C7U2Y3C3R6R5D5"
$ = "F5E8X5G3Q6T7E6T3"
$ = "E1U3D5F7R2Y5S0H4"
$ = "H3Y5C8Y2D4U8Y4S3"
$ = "U0U6H1T2F6S1P2Y5"
$ = "D5R3T8D5D3H0B4E2"
$ = "D5B6G6R4A6H1P7A3"
$ = "F1Q3D0H4H3T6U1X5"
$ = "A4T6P1G7D6G0F3S5"
$ = "C7G5T6P7U5B1H0F5"
$ = "X2C7E3U6F3A7Y1D5"
$ = "P4Y7T7R7R8X3E3A3"
$ = "C5Y7R2R2H1R7A1B2"
$ = "S4A3E3S3S4T1T3D1"
$ = "B4Y2H7F8A2T3G4H3"
$ = "B5D6X4H5G6S3R2B5"
$ = "B6F6X4A8R5D3A7C6"
$ = "C6P7E6P7A1R5Q4R7"
$ = "R8S7D7S8H6Y4T6B7"
$ = "U0S3T3D3U5F5B4E8"
$ = "F6C3U4P4X3B1H3T5"
$ = "T2F2T3U2H5B1C1A7"
$ = "T0E0H4U0X3A3D4D8"
$ = "C5R4X4H7R5T7A5R6"
$ = "D3S0A7R4F6C8F2R5"
$ = "Y1C1B6A7H3C0E7E7"
$ = "H2E7A5B8Q6G3S7Y3"
$ = "D3Q5F2F3R5Y5Y8S2"
$ = "Y2C3G8R5R3A5F5B4"
$ = "F1D2B6A5T3X2C8R1"
$ = "G5D3P2G0F6G2H8E6"
$ = "Y6Q6P2G0E5E6G2H8"
$ = "Y7D3F3S7X2S4F2X3"
$ = "X7D0E3R2R4Q0E4D3"
condition:
25 of them
}
Snort rules
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler TROJAN Ares Command Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/connect.php?a="; http_uri; classtype:trojan-activity; rev:1;)
↧