1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Kronbank Activity

System Infected: Infostealer.Kronbank Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activity of Infostealer.Kronbank.

Additional Information

When the Trojan is executed, it creates the following file:
%AppData%/Microsoft/[RANDOM CHARACTERS]/[RANDOM CHARACTERS].exe

The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS]"

The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%AppData%\Microsoft\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"{Random name}" = "%AppData%\Microsoft\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"

The Trojan injects malicious code into popular web browsers in order to steal banking-related information from web pages.

The Trojan then sends the stolen information to the following remote locations:
[http://]managejave.myftp.org/upfornow/conne[REMOVED]
[http://]update43x.myvnc.com/upfornow/conne[REMOVED]
[http://]nonstop.serveminecraft.net/upfornow/conne[REMOVED]

Affected

  • Various Vertions of 32 and 64 bit Windows OS.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube