Merge pull request #238 from Delta-Sierra/master

add Kronos Banking Trojan

clusters/banker.json

@@ -2,7 +2,7 @@
   "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
   "description": "A list of banker malware.",
   "source": "Open Sources",
-  "version": 10,
+  "version": 11,
   "values": [
     {
       "meta": {
@@ -668,6 +668,18 @@
       "description": "Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\\64.exe, proxy32\\64.dll and mod32\\64.dll), these components essentially work together to deploy webinjects in several browsers.",
       "value": "Karius",
       "uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Kronos_(malware)",
+          "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware",
+          "https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/"
+        ]
+      },
+      "description": "Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.",
+      "value": "Kronos",
+      "uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502"
     }
   ],
   "authors": [