Typically, Blowfish key sizes are between 4 bytes and 56 bytes. However, the decryption process uses a non-standard Blowfish key size. The first variant decrypts the next-stage payload using Blowfish. There are at least two variants of the packer. If the anti-analysis checks pass, the packer proceeds to the next step. When the string table is decrypted, the first 41 entries are identical to older Kronos variants with eight new string additions (shown below) to detect sandbox environments: atcuf32.dll Interestingly, the packer shares code with Kronos and Osiris including the string encryption algorithm. The packer contains the PDB path d:\scm\Italy\dopplegang\DarkCrypter\Bin\Clean.pdb. The code is not related to the commercial packer, DarkCrypter, that has been cracked and leaked online. Recent samples of Osiris and Ares have been protected by a malware packer written in C that calls itself DarkCrypter. In this blog post, we will examine these new malware developments and campaigns. The threat actor behind this new variant continues to use both Osiris and Ares in parallel. Ares still appears to be in development alongside an information stealer that harvests credentials from various applications including VPN clients, web browsers, and the malware can exfiltrate arbitrary files and cryptocurrency wallets. Thus, the naming convention appears to refer to this new malware variant as the third generation of Kronos. In Greek mythology, Ares is the son of Zeus and grandson of Kronos. In February 2021, Zscaler ThreatLabz identified a new Kronos variant that surfaced via spam campaigns to German speakers, which calls itself Ares. The last update to Osiris appears to have been around mid-2019. In September 2018, a new Kronos variant named Osiris introduced several new features including TOR for command and control (C2) communications. Kronos is a banking trojan that first emerged in 2014 and marketed in underground forums as a crimeware kit to conduct credit card, identity theft, and wire fraud.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |