New Trojan #INTH3WILD: Is Cybercrime Ready to Crown a New “KINS”?

Categories: #inth3wild,#INTH3WILD - CyberFraud,Fraud Intelligence,FraudAction

Was that a typo? What is a “KINS”? Well, it appears that KINS is the name of a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors.

Some Cybercrime History

Since December 2012, when the spokesperson of the Citadel team took the Trojan off the semi-open underground market, cyber criminals have been scrambling to find a replacement. The moment Citadel was off the market, the deep-web enclaves, where fraudsters congregate, became awash with fraud-as-a-service deals for Trojan binaries and hosting packages. During the dry months that had suddenly befallen the lower ranking cyber criminals, a few shady malware developers attempted to make a few bucks by trying to appease them with basic malware and converted HTTP botnets (Trojans that carry out lists of tasks, equipped with a form-grabber), but even the pseudo return of the Carberp Trojan left the underground hungry for more.

The clear and resounding truth was that botmasters have not had to face such a situation since the Limbo Trojan was released in 2005. The ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, and it seems that professional cybercrime malware developers are just not what they used to be.

Underground chatter increasingly reflects the growing appetite for new, ‘real’ banking malware in the online fraud arena, featuring discussions by criminals who would eagerly welcome a new developer and jointly finance a banker project if one would only make sense to them.

The ideal candidate being sought in the underground is a developer of a commercial Trojan for cybercriminals to:

  • Purchase (commercially available),
  • Use with ease (like Zeus),
  • Enjoy quality technical support (like Citadel).

As the dry spell persists, some cyber criminals hang on, lingering in the dark corners of the underworld, waiting for the next Trojan epiphany to keep them gainfully employed in their illicit enterprises.


Has the Time Come?

In early February 2013, RSA fraud intelligence researchers began tracing hints about a new crimeware tool called “KINS”. At the time, the information about the Trojan just a rumor, but in sporadic comments, fraudsters were associating a Trojan named KINS with the Citadel source code, looking for its developer in order to reach out to him and purchase KINS. The rumors were soon hushed and ties to Citadel were denied, mostly in what appeared as a case of fearful fraudsters who did not want to be denied the possibility to buy the next Trojan.


KINS is Real

Five months after the initial mention of a banking Trojan dubbed KINS in the underground, a vendor in a closed Russian-speaking online forum announced the open sale of the Trojan to the cybercrime community.
KINS for Sale Translation

Is the KINS Naked?

Although KINS’ author immediately and swiftly denied all ties to other Trojans, it appears that this newcomer already shares a few features of Zeus and SpyEye:

  • KINS architecture is built like Zeus/SpyEye, with a main file and DLL-based plugins
  • KINS is compatible with Zeus web injections, the same as SpyEye
  • KINS comes with the Anti-Rapport plugin which was featured in SpyEye
  • KINS will work with RDP (like SpyEye)
  • KINS does not require technical savvy – much as Zeus doesn’t
  • Users in USSR countries will not be infected by KINS[1] – a feature that was first introduced by Citadel in January 2012.


More from the New KINS

KINS’ developer seems to be a loyal disciple of his predecessors, taking their best practices and applying it to his Trojan. Some of the more telling features are:

  • Keeping KINS away from Trojan trackers – a problem that plagued SpyEye
  • Spread via popular exploit packs such as Neutrino – using one of the most sophisticated packs out there
  • A Bootkit in store – the Trojan will take hold of the infected computer from a much deeper level, it’s Volume Boot Record (VBR)
  • KINS will easily infect machines running Win8 and x64 operating systems



As the story unfolds, it is not surprising that KINS’ developer is being ushered into the Russian-speaking cybercrime community with much enthusiasm, commended for his decision to make KINS commercial and share it the old-fashioned way.

Beyond being advertised on the most exclusive venues where all other major Trojans were introduced in the past, KINS appears already to be a familiar name in the underground, its developer is responsive and further offers technical support to new customers, which has become a strong selling point for any malware vendor.

With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality. As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future.

[1] KINS does not work on Russian-language systems. If Russian or Ukrainian specs are detected, the Trojan will terminate.


[1] The vendor accepts the $5,000 payment via WebMoney (WMZ)

[2] RDP (Remote Desktop Protocol) is used by cybercriminals for remote access to infected PCs. The only other banking Trojan using RDP is SpyEye.


Limor Kessem
Author: Limor Kessem

Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter