{
	"id": "3e1609a0-044a-4d25-b201-b1e9fd911fd2",
	"created_at": "2026-04-18T02:22:01.239386Z",
	"updated_at": "2026-04-18T02:22:37.357243Z",
	"deleted_at": null,
	"sha1_hash": "f7bfdb4e6f61fc695ed182f802892ae7902ac5c3",
	"title": "Osiris: An Enhanced Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91839,
	"plain_text": "Osiris: An Enhanced Banking Trojan\r\nBy deugenio\r\nPublished: 2018-07-31 · Archived: 2026-04-18 02:11:52 UTC\r\nResearch By: Yaroslav Harakhavik and Nikita Fokin\r\nFollowing our recent analysis of the Kronos banking Trojan, we discovered that Kronos has also now been enhanced to\r\nhide its communication with C\u0026C server using Tor. While the author of Kronos continues to remain an issue of\r\ncontroversy, the new banking Trojan, Osiris, is thought to be primarily based on Kronos source code and most likely has\r\nthe same author.\r\nBackground\r\nKronos banking Trojan first made an appearance on the Russian underground forum, exploit.in, in 2014 where it was\r\nadvertised for $2000 a month:\r\nFigure 1: The advertisement of Kronos on the exploit.in.\r\nIt had the following technical capabilities:\r\nForm grabber and Zeus-like web-injects compatible with the major browsers (IE, Chrome, Firefox, Microsoft\r\nEdge)\r\n32-bit and 64-bit ring 3 rootkit\r\nAntivirus and sandbox bypassing\r\nEncrypted communications with C\u0026C server\r\nCredit cards grabber (as an additional module)\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 1 of 11\n\nFrom the leaked Kronos panel source code it was discovered that Kronos supposedly had two additional plugins: remote\r\ncontrol via VNC and a Keylogger functionality.\r\nIn April 2018, however, the promotional campaign of a new banking Trojan called Osiris began.\r\nFigure 2: The advertisement of Osiris from exploit.in forum.\r\nAs we had an opportunity to obtain a sample of Osiris we performed an initial analysis and it turned out that the malware\r\nhighly resembled Kronos.\r\nKronos Clues\r\nThe similarities of Osiris and Kronos first came to light after analyzing the functions which create a global mutex. Kronos\r\nuses an MD5 hash of the hard drive serial number and if it fails to get the serial number of a system volume it assigns the\r\nmutex name to MD5(“Kronos”).\r\nIn the same way, the exact same algorithm is used by Osiris:\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 2 of 11\n\nFigure 3: Mutex name generation algorithm for Osiris and Kronos.\r\nComparing the primary functionality of Osiris and Kronos which was previously analyzed by Check Point Research it\r\nwas confirmed that, in general, both Trojans do an identical job:\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 3 of 11\n\nFigure 4: Kronos Main vs. Osiris Main.\r\nFurther comparison between samples of Kronos and Osiris showed that the two malwares have almost the same\r\nfunctionality, as the following matching capabilities indicate:\r\nAlmost the same executional graph and a lot of totally identical code;\r\nGlobal mutex and event names are generated in the identical manner;\r\nThe same persistence methods;\r\nThe same encryption algorithms;\r\nThe same anti-VM and anti-sandboxing techniques;\r\nThe same code obfuscation method (such as using raw syscalls).\r\nAs a result, all of these clues show that Osiris is definitely based on Kronos and is actually an enhanced version of\r\nKronos.\r\nEarlier this month it was discovered that Osiris erupted into the wild and was detected as being Kronos by different AV\r\nsolutions.\r\nKronos vs Osiris\r\nResolving ntdll.dll functions\r\nTo prevent detection by some monitoring software, Kronos calls native API from its own code without using ntdll.dll as a\r\nproxy. The malware then obtains appropriate syscalls numbers from the ntdll.dll and the functions are identified by hashes\r\nof their names.\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 4 of 11\n\nFigure 5: Kronos and Osiris syscalls hashes.\r\nThe numbers of syscalls are stored in variables which XORed with the 0x57ED constant. Every syscall has its own\r\nwrapper function.\r\nFigure 6: Kronos and Osiris wrappers for NtSetValueKey.\r\nAnti-VM and Anti-Sandbox\r\nIt is now known then that Kronos and Osiris use identical evasions check. Indeed, they search for the existence of\r\ndifferent processes and loaded modules which can point to the environment where the malware is executed. The results of\r\nthese checks are then stored in a dedicated variable.\r\nIf a debugger, virtual machine or a sandbox is detected then in that particular moment the flag which represents the\r\nmachine architecture will be flipped. As a result this will cause a crash during the raw syscalls loading:\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 5 of 11\n\nFigure 7: Osiris/Kronos inverts the flag of VM was detected.\r\nFigure 8: Architecture dependent calls.\r\nPersistence Mechanism\r\nKronos copies itself into the file named by the first eight characters of MD5(system_volume_serial) in\r\n%APPDATA%\\Microsoft\\\u003cGENERATED_GUID\u003e\\ and writes this path to the Registry under\r\nSoftwrae\\Windows\\CurrentVersion\\Run (HKCU and, if it was run by admin, in HKLM).\r\nRegarding Osiris though, the malware is supposed to use the same well-known method, however our researched sample\r\nbuilds all the corresponding paths and names but does not make itself persistent in the system. This is probably due to the\r\nmalware still being in development.\r\nGlobal Objects in OS\r\nAs described above, the global mutex name is generated by getting an MD5 hash of the string which represents the system\r\nvolume serial number. If the operation of getting the serial number fails, the hardcoded string “Kronos” will be used\r\ninstead.\r\nOsiris like Kronos creates other global objects in OS which can be used as IOCs. There are a global mutex and a global\r\nevent where names are generated by the same algorithm with the “salt” of this algorithm passed on in code constants.\r\nTherefore the following two names will be present in any system infected by Osiris/Kronos:\r\nMutex name: Global\\{AD3EBBCA-D942-886C-AD3E-CABB824AEA00}\r\nEvent name: Global\\{2C240B38-28B0-DE58-2C24-380BA08C4000}\r\nConfiguration File\r\nKronos can then download a configuration file with Zeus web-injections from the C\u0026C server and the configuration file\r\nmust be located in the same path with the Kronos executable. A bot sends a beacon to C\u0026C server which consists of:\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 6 of 11\n\n1. A hash of the configuration file (or the sequence of ‘X’ characters if there is none).\r\n2. The GUID generated by CoCreateGuid() which represents BotId.\r\nFigure 9: Reading Kronos’s configuration.\r\nThe researched sample of Osiris did not have such feature so it uses the sequence of ‘X’ characters in the beacon every\r\ntime it is loaded.\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 7 of 11\n\nFigure 10: Osiris reading configuration stub.\r\nProcess Injection \u0026 User Land Rootkit Functionality\r\nKronos tries to escalate its process token to SeDebugPrivilege and injects the malicious thread to other processes:\r\nFigure 11: Pseudocode of the privilege escalation procedure in Kronos.\r\nAlthough the identical code which is responsible for thread injection is present in Osiris’s binary, it is not called. This fact\r\nmight also indicate that the malware is still currently in development.\r\nStealing Browsers \u0026 Outlook User Data\r\nKronos and Osiris also use the same technique to collect and decrypt users’ browser data and mail client.\r\nThe grabbing of Firefox data is executed using the following flow:\r\n1. Osiris gets the path to Profile folder where all the changes of user names in Firefox are stored by accessing Path\r\nvalue in %APPDATA%\\Mozilla\\Firefox\\profiles.ini.\r\n2. Then it loads the nss3.dll library from the Firefox install path which is gotten from\r\nHKLM\\Software\\Mozilla\\Mozilla Firefox\\Current Version\\Main\\Install Directory Registry key.\r\n3. The malware then uses nss3.dll functions to decrypt Firefox user data.\r\nChrome user data is stored in a sqlite database file –C:\\Users\\%current_user%\\AppData\\Local\\Google\\Chrome\\User\r\nData\\Default\\Login Data. So, Osiris resolves functions of sqlite3 library and collects data from Login Data file using SQL\r\nqueries.\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 8 of 11\n\nOutlook Profiles data is searched in several Registry paths:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging\r\nSubsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Out\r\nlook\\9375CFF0413111d3B88A00104B2A6676\r\nThe malware also tries to collect the values of the next registry keys:\r\nIMAP Server\r\nPOP3 Server\r\nEmail\r\nIMAP Password\r\nSMTP Password\r\nPOP3 Password\r\nThe collected data is then decrypted by CryptUnprotectData().\r\nOsiris Enhancements\r\nAs mentioned above, the original Kronos supported VNC and keylogging functionality as additional plugins but Osiris\r\nhas these capabilities out-of-the-box. It therefore, uses a modified LibVNCServer library for providing a remote control\r\nover the bot via RFB protocol:\r\nFigure 12: Strings from LibVNCServer library in unpacked Osiris.\r\nOsiris also runs a keylogger thread inside processes where it is able to inject the malicious code. The keylogger thread\r\nthen installs a keyboard hook using SetWindowsHookEx():\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 9 of 11\n\nFigure 13: Pseudocode of the keylogger routine in Osiris.\r\nThe keylogger callback collects the process name, text of the window’s title bar and everything which is typed inside the\r\nhooked windows. The main thread then sends the collected content of each window to C\u0026C server.\r\nBut the most distinctive feature of Osiris is using Tor for communication with the C\u0026C server alongside basic Kronos\r\nencryption techniques. Like Kronos, Osiris also communicates with the C\u0026C server via the HTTP protocol using almost\r\nthe same commands. (The communication protocol of Kronos is well documented in several sources).\r\nHowever by using Tor the malware does not interact with the C\u0026C server itself but hides its communication under TLS\r\ntraffic between a Tor relay and the bot:\r\nFigure 14: Network activity during the connection to C\u0026C.\r\nConclusions\r\nAll of the information provided may indicate that both Trojans, Kronos and Osiris, actually have the same origin and\r\nalthough Kronos has evolved since 2014 it is still detected by the same IOCs. However in light of all improvements seen\r\nin Osiris, it should certainly still be considered as a new threat.\r\nIOCs\r\nMutex Global\\{AD3EBBCA-D942-886C-AD3E-CABB824AEA00}\r\nEvent Global\\{2C240B38-28B0-DE58-2C24-380BA08C4000}\r\nReferences\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 10 of 11\n\nInside the Kronos malware – part 1: https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/\r\nInside the Kronos malware – part 2: https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nOverview of the Kronos banking malware rootkit: https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en\r\nKronos: decrypting the configuration file and injects: https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en\r\nCheck Point Anti-Bot blade provides protection against this threat:\r\nTrojan-Banker.Win32.Osiris.A\r\nTrojan-Banker.Win32.Osiris.B\r\nTrojan-Banker.Win32.Osiris.C\r\nTrojan-Banker.Win32.Osiris.D\r\nTrojan-Banker.Win32.Osiris.E\r\nTrojan-Banker.Win32.Osiris.F\r\nSource: https://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nhttps://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2018/osiris-enhanced-banking-trojan/"
	],
	"report_names": [
		"osiris-enhanced-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1776478921,
	"ts_updated_at": 1776478957,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7bfdb4e6f61fc695ed182f802892ae7902ac5c3.pdf",
		"text": "https://archive.orkl.eu/f7bfdb4e6f61fc695ed182f802892ae7902ac5c3.txt",
		"img": "https://archive.orkl.eu/f7bfdb4e6f61fc695ed182f802892ae7902ac5c3.jpg"
	}
}