Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- KRONOS/ Osiris attacks IOCs
- Defense Evasion: KRONOS/Osiris uses Anti-VM or Anti-Sandbox mechanisms to evade detection or analysis in a virtual environment. In many cases, the malware also modifies the internet zones settings using registry and lowers the security settings of Firefox to evade being blocked while using man-in-browser attack to webinject into banking websites.
- Persistence: In some cases, the malware copies itself to the C:\Users\%\AppData\Roaming\<Generated_GUID>\ along with several DLLs, executables for TOR, and image files. It also writes to the Start Menu and creates a shortcut in the Startup folder βC:\Users\%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupβ
- Collection: KRONOS/Osiris steals sensitive data from multiple sources. The primary method of collection is through a man-in-browser attack to webinject malicious script into banking websites and grabbing form values. The malware downloads the latest configurations (specifies the location of script injection in the website) of target banking websites from the C2.
- Observed Artifacts
- Hash Values (SHA-256)
- 22d5ed604be99b7702a2f69fb412bd8b95f36f0a637951a8db35b46147180c3d
- 3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741
- 4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177
- b4266752945011bc04f162ea53d4d78dd804dce5bb411c8dcc09fcf2e3ca3b5c
- 75769405a034d7db09b54b9e227722692a106dd5dc4acf48a60c70cbdc8e3f12
- bb4cafb0c6393b397d381a806acf959de468ac49bdb4e8f7550970e29ac0b1b3
- 4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177
- 9806d1b664c73712bc029e880543dfa013fdd128dd33682c2cfe5ad24de075b9
- 3bd4b8caf9ae975bd41dbee1f1719cf7be3efa4f52b8768aba30ba9a40569008
- bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement