The creator of the banking Trojan Osiris ceased its activity in March this year, but it seems that Osiris was replaced by his “relative” – the Ares malware.
For the past three years, a developer using the pseudonym Anubi has provided access to the Osiris Trojan to groups of cybercriminals, but has seemingly ceased its activities, citing a lack of interest in Trojans in the hacker field.
But just as Anubi announced it was ending its operations, cybersecurity experts at Zscaler discovered a new banking Trojan called Ares, developed from the old Kronos codebase and resembling the Osiris Trojan.
It is currently unclear if Anubi was involved in the creation of the Trojan or if they transferred the development of the codebase to a new developer.
According to experts, the link between the three types of malware is more than obvious, although the Ares code is currently in its early stages of development. The code contains several errors and code segments that are not referenced. Presumably they are used for debugging purposes.
Osiris, an updated and improved version of the Kronos malware, infected Windows computers and injected malicious code into web browsers to steal e-banking credentials and alter banking transactions.
The malware used advanced rootkits to maintain persistence on infected systems, and could also steal credentials from several local applications and send them to the C&C server.
The banking Trojan has become less and less used among cybercriminal groups. The last Osiris update appears to have been around mid-2019. But the attacker behind the new malware variant continues to use Osiris and Ares in parallel.
Let me remind you that recently I also talked about the fact that Security researchers discovered a new Moriya rootkit for Windows.