Kronos malware was first discovered around June 2014, by a Russian Security researcher named VinnyK written malware scripts in Russian language and later translated into English.


Kronos malware was initially available for sale from Russian underground forum with a price tag of $7000, as this malware multiple modules for different evading and detecting techniques. It also used for the purpose of the downloading other malware. One such email campaign occurred in Banking trojans to continue; Kronos acted as a loader with a new Point-Of-Sale (POS) malwares.             

It was initially targeted UK and North America. And the email messages contained a document attachment and malicious link which attacker had control over the suspicious domain.

Source: Proofpoint
source: Proofpoint

Link contained URL: hxxp://intranet[.]excelsharepoint[.]com/profile/Employee[.]php?id= [base64 encoded e-mail address]

Kronos Malware elements to be noted as,

  • Malware to CnC communication encryption.
  • Sanboxing bypassing.
  • Antivirus bypassing.
  • Defending from other trojans with user mode 32bit and 64bit rootkit.  
  • User Common credential-stealing techniques such as form grabbing and HTML injections from major browser like IE, Firefox and Chrome.
  • Consistently targets the financial departments like Banking, Payroll etc.,

Kronos malware detections

The malware uses an undetected injection method which bypasses the proactive anti-Virus solutions. And the communication is encrypted between the bot and panel against the sniffers.

In 2021, almost near to the Christmas Eve the Kronos Malware has again crippled targeting the HR (Human Resource) provider UKG. And it also unfortunate that the employees/Customers may miss the payroll for this week. Still the UKG is investigating the attack, so meanwhile it is better to block the initial few IOCs listed and implement proper security controls to stop spreading such attacks.

Few of the Indicators of Compromise (IOC) to monitor,


Kronos malware install in the path: (%APPDATA%/Microsoft/[machine-specific GUID]): and persistence is achieved with the help of a simple Run key in the registry.

Suspicious URL:

hxxp://[.]com/profile/profile[.]php?id=[base64 e-mail address]  



add.souloventure[.]org Domain RIG-v domain

hxxp://intranet.excelsharepoint[.]com/profile/Employee[.]php?id=[base64 e-mail address]








hxxp://intranet.excel-sharepoint[.]com/doc/employee[.]php?id=[base64 e-mail address]              


Hash Values:












Command and Control (CnC)

IDS/IPS Coverage

2018125          ET CURRENT_EVENTS SUSPICIOUS .PIF File Inside of Zip

2020077          ET TROJAN Kronos Checkin M2

2020080          ET TROJAN Kronos Checkin

2022124          ET TROJAN Win32.Sharik Microsoft Connectivity Check

2022550          ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016

2023196          ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2

2023401          ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)

2816808          ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016

2823254          ETPRO TROJAN ScanPOS Exfiltrating CC Data

2823288          ETPRO TROJAN Zeus Variant CnC SSL Cert


Today world ransomware attacks are increasing more and it is critical to take proper backup of the important data and implement security controls and Security user awareness to the users. Work with BCP to have contingency plans in the case of the cyber attacks in the Organizations. And receive latest updates of the breached vendor from here.


By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.