# Inside the Kronos malware – part 2 **[blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/](https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/)** Malwarebytes Labs August 29, 2017 In the [previous part of the Kronos analysis, we took a look at the installation process of](https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/) Kronos and explained the technical details of the tricks that this malware uses in order to remain more stealthy. Now we will move on to look at the malicious actions that Kronos can perform. ## Analyzed samples _[Special thanks to @shotgunner101 and](https://twitter.com/shotgunner101)_ _[@chrisdoman for sharing the samples.](https://twitter.com/chrisdoman)_ ## Configuration and targets Kronos is known as a banking Trojan. For the purpose of enabling and configuring this feature, the bot may download from its CnC additional configuration file. After being fetched, it is stored in the installation folder in encrypted form. (It is worth to notice that when the config is sent over the network it is encrypted using AES CBC mode – but when it is stored on the disk, AES in ECB mode is used.) Below you can see an example of the installation folder of Kronos, created in ``` %APPDATA%/Microsoft . The folder name is further used as a BotId . Both stored files, the ``` executable and the configuration, has the same name that differs only by the extension: ----- Here you can see the captured configuration file in a decrypted form: [https://gist.github.com/malwarezone/d6de3d53395849123596f5d9e68fe3a3#file-config-txt](https://gist.github.com/malwarezone/d6de3d53395849123596f5d9e68fe3a3#file-config-txt) The format of the configuration follows the standard defined by the famous Zeus malware. The config specifies the external script that is going to be injected in the targeted website, as well as the place of the injection. Below you can see a fragment of the configuration for a sample target – Wells Fargo Bank: [In the given example, the injected script is figrabber.js](https://gist.github.com/malwarezone/d6de3d53395849123596f5d9e68fe3a3#file-figrabber-js) It is hosted on the server of the attacker: ----- Indeed, if we open the websites that are targeted by the malware we can see that the injects has been performed. The fragments of code that were defined in the config are implanted in the source of a legitimate website. Some examples included below: Facebook: Citibank: ----- The injected scripts are responsible for opening additional pop-up that is trying to phish the user and steal his/her personal data: Wells Fargo: ----- More cases, and their comparison with a normal site behavior before the infection, demonstrated on the video: ----- Watch Video At: https://youtu.be/HrKL8Hdx6Ks The form is customized to fit the theme of each page. However, its content is the same for each target. Overall, the attack is not very sophisticated and it will probably look suspicious to the more advanced users. It’s based purely on social engineering – trying to convince a user to input all personal data that are necessary for banking operations: ----- ## Downloader Apart from infecting browsers and stealing the data, Kronos also has a downloader feature. During our tests, it downloaded a new executable and saved it in the `%TEMP% . Payloads are` stored in the additional directory with the same name as the main installation directory: ----- Downloaded payload: [6f7f79dd2a2bf58ba08d03c64ead5ced – nCBngA.exe](https://virustotal.com/#/file/e675aac1fbb288eb16c1646a288eb8fe3e2c842f03db772f924b0d7c6b122f15/) The payload is downloaded from Kronos CnC: …in unencrypted form: ----- In the analyzed case, downloaded payload was just an update of the Kronos bot. However, the same feature may also be used for fetching and deploying other malware families. ## Command and Controll (CnC) server [In the analyzed case, Kronos used Fast-Flux technique for its CnC. The domain was](https://en.wikipedia.org/wiki/Fast_flux) resolved to a different IP each time. For example, the domain `hjbkjbhkjhbkjhl.info was` resolved to an IP address randomly picked from the pool given below: ``` 46.175.146.50 46.172.209.210 47.188.161.114 74.109.250.65 77.122.51.88 77.122.51.88 89.25.31.94 89.185.15.235 91.196.93.112 176.32.5.207 188.25.234.208 109.121.227.191 ``` Watching the communication with the CnC, we observed queries to the site `connect.php,` with an optional parameter `a :` ``` connect.php - initial beacon connect.php?a=0 - sending data to the CnC connect.php?a=1 - downloading the configuration form the Cnc ## CnC panel ``` ----- Thanks to the code of the CnC panel that leaked online, we can have more insights on all the functionalities and their implementation. Like most of the malware panels, the Kronos panel is written in PHP and uses MySQL database. Overview of the files: It turns out, that in total the bot has three commands: ``` a=0 – sends the grabbed page content a=1 – fetch the configuration file a=2 – send the logged windows ``` Below we can see the relevant fragments of the panel’s code (implemented inside ``` connect.php ), responsible for parsing and storing the data uploaded by the respective ``` commands. ----- Command #0 ( a=0 ): Command #2 ( a=2 ): The configuration that is sent to the bot is prepared by the following code: Command #1 ( a=1 ): ----- We can also see very clearly how the config is encrypted – using AES in CBC mode, where the key is first 16 bytes of md5 of the BotId (it confirms what researchers form Lexsi lab found by reverse engineering). However, AES is not the only cryptographic algorithm that is utilized by Kronos. Other commands use BlowFish in ECB mode: Command #0 ( a=0 ): Command #2 ( a=2 ): In all cases, there is a variable called `UniqueId that is used as a key. The` `UniqueId is` nothing more but the `BotId, that is sent in every POST request in XOR encoded form.` ----- You can find the corresponding Python scripts for decoding the appropriate requests and responses here: [https://github.com/hasherezade/malware_analysis/tree/master/kronos](https://github.com/hasherezade/malware_analysis/tree/master/kronos) Kronos comes also with option of adding some plugins, extending the core functionality: As we may conclude, the plugins are capable of extending Kronos with some espionage capabilities, such as VNC (for viewing the desktop) and logging typed keystrokes. ## Decrypting the communication [With the help of prepared scripts (available here), we can decrypt the important elements of](https://github.com/hasherezade/malware_analysis/tree/master/kronos) the communication between the Kronos bot and the CnC server. Let’s assume that we have a PCAP file with a captured traffic. **The BotId** We need to start from getting the Kronos `BotId, because as we know it will be used to` derive the encryption keys. We will find it in the requests sent by the bot to its CnC (74 bytes long): ----- After dumping the request, we can use the following script to decode it: ``` ./kronos_beacon_decoder.py --infile dump1.bin ``` As the output we will get the decoded beacon, consisting of: 1. Hash of the configuration file (if no configuration file was present at the moment, this part will be filled with “X” characters) 2. The BotId Example: ``` XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{117BB161-6479-4624-858B-4D2CE81593A2} ``` So, in the demonstrated case the BotId is `{117BB161-6479-4624-858B-4D2CE81593A2} .` **The configuration** Having the BotId, we can move to decrypt the configuration. It arrives in the response to the ``` a=1 request: ``` Example of the request followed by the encrypted response from the CnC: ----- After dumping the response, we can use another script to decode it, giving the BotId as a parameter: ``` ./kronos_a1_decoder.py --datafile dump2.bin --botid {117BB161-6479-4624-858B4D2CE81593A2} ``` As a result, we will get the configuration file. Example of the decoded config: [https://gist.github.com/malwarezone/a7fc13d4142da0c6a67b5e575156c720#file-config-txt](https://gist.github.com/malwarezone/a7fc13d4142da0c6a67b5e575156c720#file-config-txt) **The sent reports** Sometimes we can find the Kronos bot reporting to the CnC in requests a=0 or a=2: Example of the encrypted request: ----- Finding out what was exactly the data stolen by Kronos is not difficult if we dump the data and use the dedicated script: ``` ./kronos_a02_decoder.py --datafile dump3.bin --botid {117BB161-6479-4624-858B4D2CE81593A2} ``` Example of the decoded report: [https://gist.github.com/malwarezone/a03fa49de475dfbdb7c499ff2bbb3314#file-a0_req-txt](https://gist.github.com/malwarezone/a03fa49de475dfbdb7c499ff2bbb3314#file-a0_req-txt) ## Conclusion In terms of code quality, Kronos is written in a decent way, however its features are nothing [novel. Although the bot got good reviews on underground forums, in terms of popularity it](https://blog.sensecy.com/2014/07/15/two-new-banking-trojans-offered-for-sale-on-the-russian-underground/) was always legging behind. Probably its relatively high price was the important factor deciding why it lost with the competitors. ## Appendix See also: [Inside the Kronos malware – part 1](https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/) This video cannot be displayed because your Functional Cookies are currently disabled. [To enable them, please visit our privacy policy and search for the Cookies section. Select](https://www.malwarebytes.com/privacy/#how-we-collect-information) _“Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the_ menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.” _This was a guest post written by Hasherezade, an independent researcher and programmer_ _with a strong interest in InfoSec. She loves going in details about malware and sharing threat_ _[information with the community. Check her out on Twitter @hasherezade and her personal](https://twitter.com/hasherezade)_ _[blog: https://hshrzd wordpress com](https://hshrzd.wordpress.com/)_ -----