RSA Uncovered a New Sophisticated Banking Trojan known as KINS

Security researchers at security firm RSA have uncovered a new professional-grade banking Trojan, namely KINS, which could effectively spread like Zeus, Spy Eye and Citadel.

RSA began hearing about a new Trojan toolkit known as "KINS" in February 2013 and then recently discovered an announcement of its sale in a closed Russian-speaking underground forum.

An advertisement for KINS claims that Trojan was created from scratch and it is not part of another Trojan codebases, however, that still remains to be asserted. Darkreading .com published a report on 23rd July, 2013 quoting Limor Kessem, a Cybercrime and Online Fraud Specialist at RSA saying "The kit should be available soon to enable RSA researchers to study the code and confirm its makeup."

The ad also promises the availability of a Remote Desktop Protocol (RDP) module which allows botmasters to access compromised machines remotely.

Besides this, the ad for KINS also touts the simplicity and security of the malware.

The ad says that there is no need for special skills for the installation of this Trojan nor any special knowledge for the use of the bot. It also says that the malware supports Windows 8.

The cost of standard version of KINS is $5,000 (Euro 3,800) which is payable via Web Money. Those who want additional module such as Anti-Rapport plug-in will have to pay extra $2,000 (Euro1500).

The author of KINS claims that he has built Trojan from scratch and it has several features which are also found in Zeus and Spy Eye.

For example, architecture of Trojan is similar to Spy Eye and Zeus and it is compatible with Zeus web injections.

Threatpost.com published a statement on 23rd July, 2013 quoting Kessem on this particular feature saying "The developer of KINS seems to be a loyal disciple of his predecessors and taking their best practices and using them in his Trojan".

Interestingly, the malware is designed to work only against users from non-USSR countries and it shuts down whenever a Russian or Ukrainian system is detected. This peculiar feature was first discovered in Citadel in early 2012, the security firm concludes.

» SPAMfighter News - 7/29/2013