Another malware building toolkit leaked, botnets already popping up

“Another malware building toolkit has been leaked, allowing less tech-savvy crooks to generate a fully functional variant of the KINS banking Trojan and to inject its configuration code in a JPG file in order for it not to be spotted.

Malware Must Die malware researchers analyzed the leak, and found that it contained the KINS version 2.0.0.0 builder binary and the control panel’s source code.

Despite the toolkit ostensibly allowing the creation of the KINS banking Trojan, the resulting generated binary is that of ZeusVM (v2.0.0.0), which differs completely from previous KINS versions.

“Previous KINS version don’t use steganography,” the researchers noted, and this binary does. It’s also very similar to several ZeusVM v1 and v2 samples detected earlier.

And even the control panel created with this leaked toolkit looks like a classic ZeuS botnet panel:


Obviously, KINS developers have adapted ZeusVM technology for their malware.

According to the researchers, it didn’t take long for botnets based on machines compromised via this particular malware to pop up.

“We follow the current detected KINS botnet up and alive operated in the internet and we found that at least 10 botnets are using the same default configuration picture and 6 of them are up and alive,” the researchers warned:

In an attempt to limite the damage of this leak, they have been trying to remove links to and take down sites that host the toolkit, and are urging other researchers to attempt to do that as well.

Also, they said that legitimate security researchers are welcome to contact them in order to obtain a sample of the tool to analyze.

This is not the first time that the KINS toolkit has been leaked.

It’s also interesting to note that while this version of the toolkit has been leaked and can be fond online for free, KINS version 3 can be bought for 5,000 (presumably US dollars).”