Researchers at MalwareMustDie group have discovered a KINS Malware builder leaked online, it is easy to predict a rapid diffusion of the banking trojan.
Security experts at the MalwareMustDie revealed that the source code of the popular KINS malware was leaked online.
Early 2013, experts at RSA discovered traces the banking trojan named KINS by analyzing the offer for malware in the underground communities. RSA researchers discovered an announcement on the Russian black market for the new KINS Trojan toolkit.
The advertisement for the sale of the KINS malware was published on a closed Russian-speaking underground forum.
On June 26, the experts at the MalwareMustDie discovered online a package that includes the KINS 126.96.36.199 builder, dubbed “KINS Builder,” and the source code for the control panel. The package was available on the Web, a circumstance that would allow the rapid diffusion of the banking trojan. Criminal crews can create their samples of the malware and using the available code to build a customized command & control center for the KINS botnet.
Researchers have pointed out that the developers of the malware builder call the tool “KINS Builder.” The experts that analyzed the KINS builder discovered that it generates binaries of a banking malware named ZeusVM, this means that authors of KINS malware have integrated the ZeusVM code into their trojan.
According to the researchers, the malware generated by the KINS builder is completely different from previous KINS detected in the wild.
Experts say this shows that KINS developers have integrated ZeusVM technology into their creation, for example the new KINS uses steganography to hide malware configuration data in a .JPG image file.
*Updated. The original version of the story incorrectly stated that the source code for both the builder and the control panel was made available. Only the source code for the control panel has been leaked. ” states the post from MalwareMustDie.
Currently, the MalwareMustDie research group is working with other experts, including the French Xylit0l and the Japanese unixfreaxjp, to prevent KINS spreading online by removing the package from several websites.
MalwareMustDie also revealed to have discovered version 3 of the KINS malware, which is offered for sale for $5,000 in underground forums.
Experts that desire to analyze the new variant of KINS malware can contact the researchers at MalwareMustDie.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.