Subscribe

New banking Trojan emerges

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 25 Jul 2013

A new commercial banking Trojan called KINS has reared its head - the first since the notorious Citadel Trojan was taken off the commercial malware market in December 2012.

According to an RSA blog, cyber crooks have been eagerly searching for a replacement. As soon as Citadel was whipped off the 'shelves', the 'deep-Web enclaves' - where cyber criminals congregate - was flooded with fraud-as-a-service deals for Trojan binaries and hosting packages.

Citadel being taken off the market resulted in a dry spell for the lower-ranking cyber criminals. A couple of shady malware developers tried to make a little money through selling basic malware and converted HTTP botnets (Trojans that carry out lists of tasks, equipped with a form-grabber). However, there was still a gap in the market for an effective new Trojan.

In February, RSA's researchers began following rumours about a new tool called "KINS". At the time, data was scarce, and no concrete information could be found. However, through bits and pieces of intel, it emerged that cyber criminals were associating a Trojan named KINS with the Citadel source code, and reaching out to its developer in order to buy the malware.

Five months later, a vendor in a closed Russian-speaking online forum declared the open sale of KINS to the cyber crime underworld.

KINS costs only $5 000, and comes with a dropper, DLLs and Zeus-compatible Web injects. Other modules and plug-ins cost a further $2 000 each.

Despite KINS' writer quickly and vehemently denying all ties to other Trojans, it would seem that the Trojan shares several features with Zeus and SpyEye. Its architecture is built like Zeus/SpyEye, with a main file and DLL-based plugins.

It is compatible with Zeus Web injections, as is SpyEye, and comes with the Anti-Rapport plugin, a feature SpyEye also enjoys. As with SpyEye, it works with RDP, and similar to Zeus, it does not require any particular tech skills to use.

According to RSA, the most interesting development with KINS is that it includes a kernel-mode rootkit variant called a bootkit, which is used mainly to attack full-disk encryption systems. KINS is the first commercial Trojan banking malware that has used a bootkit.

"Beyond being advertised on the most exclusive venues where all other major Trojans were introduced in the past, KINS appears already to be a familiar name in the underground; its developer is responsive and further offers technical support to new customers, which has become a strong selling point for any malware vendor," says RSA.

Share