Wednesday, November 09, 2016

Kronos Banking Trojan and Geo-Targeting from Kelihos

Kronos Banking Trojan and Geo-targeted attacks to Australia, Italy, United Kingdom and United States by Kelihos

I'm happy to welcome back guest-blogger Arsh Arora for another blog about the Kelihos botnet. This research is being conducted in our malware research lab at UAB by Arsh (PhD student) and Max Gannon, a malware researcher at UAB, who is about to graduate at the end of this semester and is looking for a job (hint to employers!)

Let’s start the story of the things happening with Kelihos botnet over the past couple of days. After laying low for past couple of weeks, it strikes back with authority. As observed previously, Kelihos continue to geo-target different locations. First and foremost, it started by sending Money Mule spam to users in Italy, Australia, and the United Kingdom, if their email addresses ended with .it, .au, or .uk.  Second, it targeted users in the United States to download a social media management tool “”  Because this was based on country-code targeted of ".us" it is more likely to impact people in education and local government, who are the main users of .us email addresses.  As all these things were happening, it sneaked a malicious word document from a website and uploaded it on the desktop without any indication to the user of the download. The malicious document eventually delivers Kronos malware which is considered to be same as Zeus malware which was sent by Kelihos in August This behavior was bizarre and never observed before this event.

Money Mule Spam

A brief report of the various geo-targeted spam is provided below.

1. Australia - Spam for email addresses ending with ".au" 

Email text is as follows:
Subject: Available Position

The Successful Company is hiring full/part-time employee for an Administrative Assistant position
(Customer Care Team) who can take a part oversee development projects in AU and NZ. This
opportunity is smart for everybody who ready to work as little as a several hours per weekday,
however you will apply for a full time position as well. Competent training programs are accessible
for the applicants. Work experience isn't required at all.
Please send your confirmation to this email cargoinvestmentmiltonlogistics@gmail[dot]com to get more
details concerning a vacancy.
Best Regards


An interesting thing to observe in the body of the text is the special reference to development projects in AU and NZ. To infer, the email body and addresses are not random, but specifically targeted towards the Australian users.

Some of the email subjects being used include:

Subject:  Available Position
Subject: Employment
Subject: Job Offer
Subject: Open Vacancy

2. Italy - Spam for email addresses ending with ".it"

<== Italian Money Mule spam || Google Translate ==>
Original text of the email being spammed is as follows:

Subject: Assunzione al lavoro

Cari Saluti,
Impresa europeo specializzata nella mezzi di trasporto merci per estensione proprio organico
sta ricercando le persone per i nuovi ruoli nella vostra provincia! Stipendio e' da 3002 Euro
al mese piu' bonus. Formazione e' a carico della azienda!
Se hai bisogno di fondi in piu', se sei onesto e coscienzioso dipendente che ha 22 anni
compiuti, ti invitiamo ad inviare il vostro curriculum nel nostro ufficio personale

Distinti saluti
Sandra Trevor,
Responsabile del personale

Some of the email subjects being used include

Subject: Assunzione - collocamento al lavoro
Subject: Assunzione al lavoro
Subject: Cerchiamo collaboratori in vostra area
Subject: Cerchiamo collaboratori in vostra citta
Subject: Cerchiamo collaboratori in vostra provincia
Subject: Cerchiamo collaboratori in vostra regione
Subject: Lavoro part-time
Subject: Ricerchiamo collaboratori in gruppo operante a livello globale

3. UK - Spam for email addresses ending with".uk"

Subject: Wow amazing girl..Read that article

Hey, what's up? Actually, for that long time we haven't been reaching each other, I've discovered a brilliant 
reading stuff. By now, 5 days I am stuck to it have already brought about 2,350 pound for me! I am talking about 
the soft trading market - it doesn't require any specific skills at it, all is automated.
Flick the article through and write me something as you are in. By the way, get a chance to know how the stuff 
works with a demo!
Take the best out of it!
P.s. The article itself: hxxp://newsdep3-telegraph[dot]co/


Interesting observation here is the fake url for The Telegraph newspaper. The spammers are trying to trick the user to visit the following link in disguise of telegraph newspaper.

Following Domain name is hosted on 162[.]255[.]119[.]249 and has been dominantly hosting various phishing websites Information found on Domain Tools is mentioned below.

Information from Domain Tools
Information about the registrant.

Domain Name:                              NEWSDEP3-TELEGRAPH.CO
Domain ID:                                   D153329223-CO
Sponsoring Registrar:                   NAMECHEAP, INC.
Sponsoring Registrar IANA ID:   1068
Registrar URL (registration services):
Domain Status:                             clientTransferProhibited
Registrant ID:                               70G0X0PHDOIUNYLZ
Registrant Name:                          WhoisGuard Protected
Registrant Organization:               WhoisGuard, Inc.
Registrant Address1:                     P.O. Box 0823-03411
Registrant City:                             Panama
Registrant State/Province:             Panama
Registrant Postal Code:                 0
Registrant Country:                       Panama
Registrant Country Code:              PA
Registrant Phone Number:            +507.8365503
Registrant Facsimile Number:       +51.17057182
Registrant Email:                 

Some of the email subjects being used include

Subject - Look what i found
Subject - Why work for your money when your money can work for you?
Subject - Wow amazing girl.. Read that article

When visited the URL it redirected to
As it can be observed it redirects to talegraph[dot]co[dot]uk, not telegraph, which is hosted in Netherlands.

Whois & Quick Stats
Dates Created on 2016-09-27 - Expires on 2017-09-27 - Updated on 2016-09-27  
IP Address is hosted on a dedicated server  
IP Location Netherlands - Zuid-holland - Papendrecht - It-ernity Internet Services Bv
ASN         Netherlands AS21155 ASN-PROSERVE Amsterdam,, NL (registered Sep 11, 2001)
Whois History 4 records have been archived since 2016-10-01  
Whois Server

Webpage of talegraph

As it can be viewed, following is a fake website portraying telegraph newspaper.

Social Media Management Tool It is well-known that people of United States are crazy about social media and get super excited whenever a new app or a tool gets launched. Recently, everyone went crazy after the launch of Pokemon Go. This reaction forced the threat actors to change their way of attacks by focusing on the social media market. There were different malware being developed to exploit this weakness of the users. in a recent blog post, I mentioned how scammers were fooling people to buy cheat codes that never existed In continuation to these attacks, the Kelihos spammers are now inviting users to download, a social media management tool. The following spam is explicitly targeting email addresses ending with ".us," because of the popularity and use of social media in the United States.

Email being spammed is as follows:
Subject: Need your opinion

I'm with, it's a social media management tool the key characteristic of which is to schedule and create
content on various networks at the same time. What's more you also encourage your clients to share, like and
follow your posts.
Since we are connected in LinkedIn I thought it would be a good idea if I asked for your views on our product.
Check us out at: hxxps://kuku[dot]io/a/ms
I appreciate your time. I'm looking forward to receiving any of your comments!


Some of the email subjects being used include:

Subject: Need your opinion
Subject: Need your feeback
Subject: Please let me know if this is of any interest

When visited the webpage mentioned.
Webpage of Kuku[.]io

Kronos Banking Trojan

Now let's get to the sneaky part performed by Kelihos, which is dropping a malicious word document on the desktop. While doing his daily chores of running Kelihos malware and collecting the spam sent, Max  found that a document named 'oldversion' was placed on the desktop. It was strange and we have never seen this behavior previously.
Pictorial view of the document icon on the Desktop

On further scrutiny, we found that during the capture, Kelihos did a GET request to download the document.

hxxp://topswingusa[dot]top/qivi/oldversion[dot]doc - Get request

IP address of topwingsusa[dot]top -
Virus total result of topswingusa[dot]top

An interesting string found in the process hacker was "  UPLD save to: C:\Users\malware\Desktop\oldversion.doc"

Out of curiosity and to do more in-depth research, I decided to click the document. The document did not disappoint and asked for two of my favorite things when viewing a word document.

Enable Editing
 The document was opened in Protected view and after clicking 'Enable Editing,' it asked to "Enable Content.

Enable Content
After clicking 'Enable Content,' It spawns a child process with the name '24580.exe' and then another child process was launched with the name of "svchost.exe". The process killed itself and did not run properly.

Hence, I have to put it into OLLYDBG to get the malware working. On further observations in the debugger, I found that it was checking for virtual machine. Hence, it was vmware aware and killed itself instantaneously. But before it killed itself, I found the following string in the "svchost.exe" in the debugger, which mentioned the malware to be Kronos.

Hence, it can inferred that the following malware is Kronos. In order to be double sure, I repeated the process by downloading the malicious document and running it again.

This time I was able to gather more information, once the document is activated by 'Enable Content,' it grabs the downloader from the following url:
which is hosted on the same IP 167[.]88[.]160[.]146. Once the file "mswords2k8[dot]exe was obtained, it spawned a third process named as "MSOSQM", which was Kronos malware. 

On further scrutiny, I found that both the downloaders "24580.exe" and "mswords2k8[dot]exe" have the same MD5 hash, 547890EA5FD8374383E0663223B5A26F.

Downloader and Kronos malware

 Another interesting observation found in the debugger is presence of a string named "BOTID"


Researchers are still working on trying to find more about the significance of BOTID. Hopefully, everyone will be updated soon with the findings.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.