A new version of the Kronos banking trojan is making the rounds, according to Proofpoint security researchers, who say they’ve identified at last three campaigns spreading a revamped version of this old trojan that had its heyday back in 2014.

According to a report published yesterday evening, first samples of this new Kronos variant have been spotted in April, this year.

While initial samples appeared to be tets, real-life campaigns got off the ground in late June, when researchers started detecting malspam and exploit kits delivering this new version to users in the wild.

Campaigns targeted Germany, Japan, Poland

Proofpoint reports spotting three campaigns and one test run, targeting users of German, Japanese, and Polish banks.

Period Campaign type Target C&C
June 27-30, 2018 Malspam, macro-laced Word docs Users of 5 German financial institutions http://jhrppbnh4d674kzh[.]onion/kpanel/connect.php
July 13, 2018 RIG EK Users of 13 Japanese financial institutions http://jmjp2l7yqgaj5xvv[.]onion/kpanel/connect.php
July 15-16, 2018 Malspam, CVE-2017-11882 Users in Poland http://suzfjfguuis326qw[.]onion/kpanel/connect.php
July 20, 2018 Software download site Test run hxxp://mysmo35wlwhrkeez[.]onion/kpanel/connect.php

The malware used in this campaigns is not the original Kronos, but one that received several updates compared to its 2014 edition [1, 2, 3, 4].

Proofpoint reports an extensive code overlap between the 2018 and 2014 versions. Similarities include that the 2018 version uses the same Windows API hashing technique and hashes, the same string encryption technique, the same C&C…