After the cybercriminals behind Citadel started to withdraw the Trojan from the semi-open market, the underground began its search for a new banking malware. Now, according to the RSA, a perfect candidate has been put up for sale.
The ideal banking Trojan must be commercially available, easy to use, and it must come with quality technical support. The new piece of malware dubbed “KINS” appears to have what it takes.
The first rumors about KINS surfaced in February 2013, when many cybercriminals were desperately seeking its seller.
Now, an ad for KINS has been posted on a Russian-speaking online forum.
The creator of KINS claims his Trojan has been developed from scratch, and it’s not based on any known threat.
The standard version costs $5,000 (€3,800), payable via WebMoney. Those who want additional modules such as the Anti-Rapport plugin will have to pay an extra $2,000 (€1,500).
While the author of KINS claims his creation is built from scratch, the Trojan has several features that are also found in ZeuS and SpyEye.
For instance, the architecture is similar to the one of SpyEye and ZeuS, and it’s compatible with ZeuS web injections.
Interestingly, the malware is designed to work only against users from non-USSR countries. If a Russian or Ukrainian system is detected, the Trojan shuts down. This particular feature was first seen in Citadel at the beginning of 2012.
The author of KINS seems determined to make sure his creation is better than other Trojans. For example, it’s designed to stay away from Trojan trackers, it spreads via popular exploit packs, it can infect machines running Windows 8 and 64bit operating systems, and it comes with a bootkit.
“With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality,” RSA Cyber Intelligence Expert Limor Kessem noted.