Security researchers at IBM subsidiary Trusteer recently came across new financial malware named Kronos, which is being offered for sale on a Russian underground forum for $7,000.
Kronos includes functionality designed to evade detection and analysis, and offers prospective buyers a one-week test for $1,000 prior to purchase. It uses form grabbing and HTML injection in Internet Explorer, Firefox and Chrome to steal victims' credentials.
Trusteer senior fraud prevention strategist Etay Maor reports that Kronos' HTML injection mechanism is also compatible with Zeus. "Because Zeus is the most widely deployed malware, and it is likely that potential clients have used or still use Zeus variants, the authors of Kronos made sure that the HTML injection files used by Zeus operators can be easily implemented with Kronos," Maor writes in a blog post describing the malware.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Maor notes that the $7,000 price tag is much higher than that for most malware these days. "This price, however, is not the first time a new malware seller has demanded a premium," he writes. "Approximately four years ago, Carberp was released and priced at $10,000 (and $15,000 for the addition of the VNC module, which is almost a standard capability of today's financial malware)."
RedSeal Networks chief evangelist Steve Hultquist said by email that Kronos' price point simply underlines the fact that cybercrime is now a real business. "Enterprises need to understand that significant investment is being made by both criminal and government organizations in an effort to attack their infrastructure," he said.
Still, Trusteer's Maor said his company's information about Kronos at this point is based only on the malware author's claims -- the company hasn't yet analyzed a sample of the malware.
"The file sounds impressive, but without third party analysis the claims should be treated with caution," Malwarebytes malware intelligence analyst Christopher Boyd said by email.