Osiris banking Trojan was replaced by its “relative”- the Ares malware

The creator of the banking Trojan Osiris ceased its activity in March this year, but it seems that Osiris was replaced by his “relative” – the Ares malware.

For the past three years, a developer using the pseudonym Anubi has provided access to the Osiris Trojan to groups of cybercriminals, but has seemingly ceased its activities, citing a lack of interest in Trojans in the hacker field.

But just as Anubi announced it was ending its operations, cybersecurity experts at Zscaler discovered a new banking Trojan called Ares, developed from the old Kronos codebase and resembling the Osiris Trojan.

In February 2021, Zscaler ThreatLabz identified a new Kronos variant that surfaced via spam campaigns to German speakers, which calls itself Ares. In Greek mythology, Ares is the son of Zeus and grandson of Kronos. Thus, the naming convention appears to refer to this new malware variant as the third generation of Kronos. Ares still appears to be in development alongside an information stealer that harvests credentials from various applications including VPN clients, web browsers, and the malware can exfiltrate arbitrary files and cryptocurrency wallets.Zscaler experts explain.

It is currently unclear if Anubi was involved in the creation of the Trojan or if they transferred the development of the codebase to a new developer.

According to experts, the link between the three types of malware is more than obvious, although the Ares code is currently in its early stages of development. The code contains several errors and code segments that are not referenced. Presumably they are used for debugging purposes.

Osiris, an updated and improved version of the Kronos malware, infected Windows computers and injected malicious code into web browsers to steal e-banking credentials and alter banking transactions.

The malware used advanced rootkits to maintain persistence on infected systems, and could also steal credentials from several local applications and send them to the C&C server.

The banking Trojan has become less and less used among cybercriminal groups. The last Osiris update appears to have been around mid-2019. But the attacker behind the new malware variant continues to use Osiris and Ares in parallel.

Let me remind you that recently I also talked about the fact that Security researchers discovered a new Moriya rootkit for Windows.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button