It all started the second week of May 2017. WannaCry had already wreaked havoc all around the world: it had brought down the IT systems of several hospitals, public and private organizations, and large multinationals. And the worst thing was that no one knew how to stop the most serious global cybersecurity catastrophe in recent years.

Enter Marcus Hutchins. This 22 year old British researcher stumbled upon the solution almost by accident. After picking apart the malware, he realized the code queried this domain: If the domain was disabled, the code automatically infected the computer on which it was running. But if the domain was activated, the infection was stopped. Marcus Hutchins observed that this domain was free, so bought it, registered it, and stopped WannaCry from continuing to destabilize half the planet’s IT systems. Marcus had become a hero in the blink of an eye.

But every story has a flip side, and this one is no exception. At the beginning of August 2017, just three months after his heroic act, Hutchins was arrested by the FBI (an organization that had, not long before, offered him a job) while he was on a trip to the United States. The reason? The British IT researcher was the creator of Kronos, a piece of malware that had been stealing banking details from people all over the world since 2014, becoming a real headache for financial institutions. Hutchens admitted to creating the malware, and pleaded guilty to the six charges leveled against him.

Hutchins’s legacy was far-reaching: in 2018 a very similar Trojan to Kronos surfaced, now named Osiris, which essentially acted in the same way. The hero had become the villain in just three months, the fallout from his cybercrimes far outweighing the great service he performed in stopping WannaCry.

How do Kronos and Osiris work?

Hutchins created Kronos when he was just 19. It worked in the following way:

1.- Creation and sale. He created it at home along with a friend, who helped him to write the code. Hutchins himself never undertook to attack banks. What he did was to access deep web markets, especially AlphaBay, in order to sell the malware to several cybercriminals.

2.- Infection. Kronos was sent out by cybercriminals in attachments or even in links. The cybercriminals stole credentials from their victims in order to access their accounts in the affected banks.

3.- Boom. Kronos had been in action since 2014, but its greatest boom was in 2015, when IMB affirmed that the Trojan had managed to infiltrate the code of several banks, especially in the UK and India.

4.- New version. After a few years of silence, Osiris took the baton from Kronos and improved it, returning to phishing campaigns and including an exploit kit to be able to weaken banks’ financial cybersecurity.

How to avoid these kinds of attacks

Banking Trojans are far from an isolated practice; they are a rising trend in cybercrime. Companies and organizations that want to protect their corporate cybersecurity and keep this kind of malware from affecting their credentials need to take appropriate measures.

1.- Raising awareness. We’ve said it time and again: employees tend to be the weakest link in the cybersecurity chain. This is why it is vital that they receive, first of all, proper awareness training about not opening suspicious emails, not clicking links that could take them to unknown websites, and not downloading any kind of attachment. The second thing is to activate an action protocol so that, should an infection occur, the corresponding department can stop it from spreading.

2.- Controlling processes. Human awareness can never be perfect, so organizations need to know what is happening on their network at all times. Panda Adaptive Defense automatically analyzes and monitors the processes on the company’s IT systems in real time. Not only does it detect any intrusion, but it also analyzes anomalous behaviors to avoid problems before they can even arise. Having visibility of all processes allows you to detect any anomaly that poses a risk to the company’s IT security.

3.- Strategic cybersecurity Cybersecurity can’t be the sole concern of a single area in the company; it needs to be present in the business and strategic configuration of the whole company. This way the problems that it can cause it won’t incur any further costs.

It is by no means a question of thinking that there will never be any threats to our corporate or financial cybersecurity. Everyone needs to be aware of the risks, accept them, and as a consequence, enable appropriate tools to monitor them from up close and eliminate them before they can become a reality. Taking proactive steps and having advanced cybersecurity tools makes all the difference, allowing organizations to stop seeing malware as a headache.