Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as “professional-grade banking Trojan” in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT had been in previous years.
During our investigation, we acquired several KINS variants (detected as TSPY_ZBOT.THY and TSPY_ZBOT.THX) and found that it is not really a “new” Trojan. It uses a different packer and contains sophisticated anti-debugging and anti-analysis routines, but underneath it’s still ZeuS: it uses the same folders and file names, injects the same processes, creates the same registry entries, etcetera.
To thwart analysis and debugging, these KINS variants search for and stop running if it finds it is being run inside several popular virtual machine servers (specifically, VMWare and VirtualBox) or a Windows emulator (WINE). Similarly, other security tools like Sandboxie will also cause the malware to stop running.
In terms of functionality, KINS is essentially identical to to ZeuS/ZBOT; for example, it downloads a configuration file that contains the list of targeted banks, drop zone sites, and webinject files. KINS steals online banking data such as user credentials by injecting a specific code onto the user’s browsers when they visit certain URLs in real time. Once done, the malware shows fake but legitimate-looking pop-ups that ask for banking credentials and additional information such as social security number.
As we are on the latter half of 2013, our prediction of old but reliable threats resurfacing remains true in this year’s threat landscape. In our 2Q Security Roundup, we noted the boost in online banking malware last quarter, in particular of ZeuS/ZBOT variants after being under the radar the past year.
With KINS, we can see the ongoing efforts of cybercriminals to refine dated threats with methods to avoid antimalware detection. We can also expect that KINS won’t be the last of its kind. As well-known Trojan toolkits like SpyEye and Ice IX are now available for free and the “leaked” source code of CARBERP easily accessible, it will be easier for the bad guys to create and distribute their own versions of these malware.
Trend Micro detects and deletes the related malware, while Deep Security offers latest protection against exploits that may lead to KINS infection.