David Morán May 24, 2021 8 min read

Osiris Banking Trojan for Windows


Morphisec identified a new campaign targeting German clients, characterized by the download of an Osiris client with the ability to communicate via Tor with the command-and-control server (C2).

Introduction

This is a feature that is already present in the Kronos banking trojan, initially detected on the black market around 2014. It is being used - as in other cases - to download other malware.



malware-osiris-01

Figure 1 – Download message for victims. Source: Morphisec.com



In this case, two downloaders with JavaScript code are downloaded during the attack, one of which is used for persistence. Powershell commands are executed for the reflective loading of a .NET file, which would be mapped from the registry and decoded to a new .NET stored in memory, in the space of a legitimate process. Once installed on the computer, the malware would connect to its C2 through the Tor network.


Similarities Among Samples


Samples of the malware used for the campaign identified by Morphisec are being linked to the Kronos family. At the time of writing this post, there are about 20 samples similar to that of Osiris, the oldest from 2019.

The greatest similarities are in the domains, 14 of which use the domain api.ipify.org to obtain the victim's IP address. In the samples, we can also see similar URLs, some of which have the words "tor" or "onion", with the string “tor/status-vote/current/consensus” being easily identifiable in a dynamic analysis in the laboratory.



malware-osiris-02

Figure 2 - View of similarities for 20 samples


Observables During Execution


The malware runs from the registry, maintaining persistence on the “HKCU:\SOFTWARE\<username>1” key, being executed reflectively and hiding in the space of a legitimate Windows process. This persistence is implemented by the second of the JavaScript files downloaded by the malware, which can in fact change with each new download, but maintains the same structure. The Windows registry is also used to store an ID identifier in the HKCU key, using 5 random letters.



When the malware initiates its communication with the Tor network, a series of connections occur during its execution.





malware-osiris-03

Figure 3 - Successive captures of the properties of the malicious process



It should be noted that although the researchers point out that one of the JavaScripts contains three domains with which the malware would try to communicate, they change every few days. During the execution of the malware, was can observe multiple connections that are established and subsequently closed in a short period of time, as a result of the behavior of the Tor network itself.




malware-osiris-06

Figure 4 - Initial steps in Tor communication - request for consensus file



Regarding the GeX64BIT.exe file that we can see that's related to the samples that can be linked to the sample in VirusTotal, it is only generated on 64-bit systems for a few seconds, during which time it creates a file that is later destroyed, along with the executable itself.

Therefore, its function could be designed to enable execution on 64-bit systems. In fact, this behavior observed in the binary may differ from the infections reported by Morphisec.



 

malware-osiris-04

Figure 5 - View of one of the VirusTotal samples and the file generated as part of the GetX64BTIT.exe malware execution




malware-osiris-05

Figure 6 – GeX64BIT.exe behavior




 

Conclusions


The main characteristics of this malware are, on the one hand, the use of obfuscated JavaScript files that use the registry as a bridge for the installation of the malware, and also the use of the Tor network to connect to the command-and-control server.

These are not new techniques, and there are common patterns that can aid in their detection. Again, the initial hook is via phishing techniques. It appears that the campaign could be extended not only to German clients but also to the United States and Korea. This highlights, once again, the importance of awareness campaigns and training in cybersecurity.



As for the process hollowing and doppelgänging techniques, they are a common resource for malware creators in order to hide the execution of processes. Protection with respect to this point would come from implementing security solutions in clients that control the execution of processes. In addition, it should be noted that this operation has been linked to other attacks, which use PDF files as a hook. In these cases, the persistence modes described above could vary, but the observed communication operation is maintained.

 

You might be interested in our malware trends report for 2021

avatar

David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.