KINS 2.0 Malware

In early 2013, researchers discovered an announcement on the Russian black market for the new KINS Trojan toolkit.

The advertisement for the sale of the KINS malware was published on a closed Russian-speaking underground forum.
On June 26 2015, security experts at MalwareMustDie discovered a package that includes the KINS 2.0.0.0 builder, and the source code for it’s control panel.

KINS version 2.0.0.0 builder binary

Researchers have pointed out that the developers of the malware builder call the tool “KINS Builder.” However, the binaries generated by it actually appear to be versions of the banking malware called ZeusVM. The malware generated by the builder is completely different from previous KINS versions. One of the features borrowed by KINS from ZeusVM is the use of steganography, the practice of concealing a file or message within another file or message. In the case of KINS/ZeusVM, the malware’s configuration data is hidden in a .JPG image file.

Stenography Demonstration

Sources:

    http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html
    http://securityaffairs.co/wordpress/38372/cyber-crime/kins-malware-builder-leaked.html
    http://www.securityweek.com/source-code-kins-malware-toolkit-leaked-online