KRONOS/ Osiris attacks IOCs

1. KRONOS/ Osiris attacks IOCs
2.  
3. Defense Evasion: KRONOS/Osiris uses Anti-VM or Anti-Sandbox mechanisms to evade detection or analysis in a virtual environment. In many cases, the malware also modifies the internet zones settings using registry and lowers the security settings of Firefox to evade being blocked while using man-in-browser attack to webinject into banking websites.
4.  
5. Persistence: In some cases, the malware copies itself to the C:\Users\%\AppData\Roaming\<Generated_GUID>\ along with several DLLs, executables for TOR, and image files. It also writes to the Start Menu and creates a shortcut in the Startup folder “C:\Users\%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”
6.  
7. Collection: KRONOS/Osiris steals sensitive data from multiple sources. The primary method of collection is through a man-in-browser attack to webinject malicious script into banking websites and grabbing form values. The malware downloads the latest configurations (specifies the location of script injection in the website) of target banking websites from the C2.
8.  
9. Observed Artifacts
10. Hash Values (SHA-256)
11. 22d5ed604be99b7702a2f69fb412bd8b95f36f0a637951a8db35b46147180c3d
12. 3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741
13. 4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177
14. b4266752945011bc04f162ea53d4d78dd804dce5bb411c8dcc09fcf2e3ca3b5c
15. 75769405a034d7db09b54b9e227722692a106dd5dc4acf48a60c70cbdc8e3f12
16. bb4cafb0c6393b397d381a806acf959de468ac49bdb4e8f7550970e29ac0b1b3
17. 4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177
18. 9806d1b664c73712bc029e880543dfa013fdd128dd33682c2cfe5ad24de075b9
19. 3bd4b8caf9ae975bd41dbee1f1719cf7be3efa4f52b8768aba30ba9a40569008
20. bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d