UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF WISCONSIN
_____________________________________________________________________________
UNITED STATES OF AMERICA,
Plaintiff,
v.

Case No. 17-CR-124

MARCUS HUTCHINS,
Defendant.
______________________________________________________________________________
UNITED STATES’ SENTENCING MEMORANDUM
______________________________________________________________________________
The United States of America, by its attorneys, Matthew D. Krueger, United
States Attorney for the Eastern District of Wisconsin, and Assistant United States
Attorneys Benjamin Proctor and Benjamin Taibleson, files this memorandum in
advance of the sentencing hearing set for July 26, 2019.
I.

Introduction.
Before he became known internationally for his role in thwarting the

WannaCry ransomware attack in 2017, Marcus Hutchins built and sold
sophisticated malware packages that had one purpose: to covertly steal personal
information, including banking credentials, from unsuspecting victims around the
world. He did so because, put simply, he wanted to make money. It is this darker
side of Hutchins’ life that brings him before the Court for sentencing in this case.
At issue in this case are two of Hutchins’ creations: UPAS Kit and Kronos.
Hutchins wrote them, and his accomplice, “Vinny,” advertised and sold them in

1
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 1 of 13 Document 131

 online hacking forums. The FBI began investigating the actors behind UPAS in
2012 and Kronos in 2015. In late 2016, the FBI obtained chat logs establishing that
Marcus Hutchins, aka “MalwareTech,” created these malware products.
In May 2017, after the FBI obtained Hutchins’ chat logs, and while it
finalized its investigation, Hutchins was publically credited with stopping the
WannaCry ransomware outbreak. WannaCry, while significant, is entirely separate
from this investigation and prosecution. In July 2017, Hutchins travelled to the
United States and was arrested for his role in marketing and distributing Kronos
and UPAS.
In May 2019, Hutchins entered a guilty plea to Counts One and Two of the
superseding indictment. Doc. #124. Per the plea agreement, the government agrees
not to make a sentencing recommendation. In this memorandum, the government
will simply highlight aspects of the offense and the defendant’s history that are
relevant to the Court’s sentencing decision.
II.

Analysis of the Factors Under 18 U.S.C. § 3553(a).
The sentence the Court imposes should be sufficient, though not greater than

necessary, to reflect the seriousness of the offense, promote respect for the law,
adequately punish the crimes committed, deter other criminal conduct, protect the
public from the defendant and provide for any particularized needs of the
defendant. 18 U.S.C. § 3553(a)(2). In determining the appropriate sentence, the
Court must consider the factors set forth in 18 U.S.C. § 3553(a). United States v.
Harris, 490 F.3d 589, 593 (7th Cir. 2007). In addition to the goals outlined above,

2
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 2 of 13 Document 131

 these factors include the nature and circumstances of the offense and the history
and characteristics of the defendant; the Sentencing Guidelines range; and the need
to avoid unwarranted disparities among similarly situated defendants.
A. The sentencing guidelines.
In the plea agreement, the parties agree on the base offense level for both
counts and on several specific guidelines adjustments. These include increases for
committing an offense involving at least 10 victims under U.S.S.G. § 2B1.1(b)(2)(A);
for committing a substantial part of the offense outside of the United States under
§ 2B1.1(b)(10); for computer hacking in violation of 18 U.S.C. § 1030 with an intent
to obtain personal information under § 2B1.1(b)(18)(A); and for committing an
offense in violation of 18 U.S.C. § 1030(a)(5) under § 2B1.1(b)(19)(A)(ii). The parties
further agree to recommend a reduction for conspiracy under § 2X1.1(b)(2), and a
reduction for timely acceptance of responsibility under § 3E1.1.
The parties disagree over whether there should be an adjustment for loss
under § 2B1.1(b)(1). While it is undisputed that Hutchins’ malware has been used to
infect numerous computers all over the world, loss calculation is challenging
because of the very nature of the offense and conduct of the defendant: the
defendant and his accomplice communicated via encrypted communications, the
malware was sold through encrypted communications, the defendant worked to
disguise his role in the offense, the malware was designed to be undetectable on
victim computers, the offense was perpetrated overseas, and the defendant’s
property facilitating the offense was neither turned over to law enforcement nor

3
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 3 of 13 Document 131

 recovered. Further, it is challenging to calculate actual monetary losses stemming
from others’ use of Trojans like Kronos/UPAS to steal personal information. This is
true not only due to the nature of the offense, but also because attackers often sell
the information they harvest from victim computers to other criminals who will not
know how or when the information was obtained. With all of this in mind, however,
the government has provided the presentence report writer with several facts
relevant to loss as defined under § 2B1.1(b)(1).
In the end, any calculation of “loss” under § 2B1.1(b)(1) will be an estimate.
This is due to limitations noted above, many of which were the direct aim and
achievement of defendant. But this court “need only make a reasonable estimate of
loss.” § 2B1.1(b)(1) Application Note 3(C). The facts the government provided to the
PSR writer provide a reasonable basis for a reasonable estimate of that loss.
Finally, § 2B1.1 does not account for the invasion of personal privacy and
security inherent in these types of malware cases. Therefore, regardless of the
guidelines, “loss” should be considered as part of the overall offense under 18 U.S.C.
§ 3553(a).
B. Nature and circumstances of the offense.1
While computer hacking is often viewed an offense committed by lone wolves,
that is not necessarily the reality. In reality, hacking can be organized, with actors
exchanging information and working together to better victimize their targets. One

Additional details of the offense are set forth in the plea agreement, Doc. #124, and the
presentence report.
1

4
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 4 of 13 Document 131

 form of hacking involves the use of malicious software (malware) to infect
computers and steal information. Creating effective malware requires special skills
not possessed by all hackers. Thus, marketplaces develop where malware creators
can market their wares to those seeking to attack others. Those same markets
provide space where attackers can sell the information they steal from victim
computers. Moreover, those who create malware may want assistance in effectively
marketing it to other hackers. This confluence gives rise to business partnerships
intended to maximize sales and profits.
Marcus Hutchins is a skilled malware coder. Between July 2012 and
September 2015, Hutchins created and helped market malware known as UPAS Kit
and Kronos. Hutchins wanted to make money, but he also wanted to insulate
himself from potential capture by delegating the actual sales and servicing of his
products. Therefore, he collaborated with an individual known by aliases such as
“Aurora123,” “Vinny,” and “VinnyK,” who advertised and sold the malware.
Hutchins would periodically update the malware, and Vinny would keep in contact
with customers. Hutchins and Vinny agreed to split their profits evenly.
Kronos is a banking Trojan. A Trojan is a type of malware disguised as
something else (such as an email attachment) to trick victims into downloading and
running malicious code on their computers. The malicious code allows the attacker
to steal sensitive information (like financial data, emails, and passwords) from a
victim computer without the victims’ knowledge. Kronos, in particular, has multiple
functions. It was designed to give the attacker the ability to steal banking

5
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 5 of 13 Document 131

 credentials from victims’ computers using a process called keylogging. It also had
“form grabber,” “web-inject,” and virtual network connection (“VNC”) capabilities.
A form grabber intercepts data being sent from a computer’s internet browser
to a website. For Kronos, this feature gives the attacker the ability to steal banking
login credentials and personal information when a victim tries to access online
banking services.
Web injects work by intercepting and modifying data being sent from a
website to a computer’s internet browser. The modifications are typically fraudulent
invitations for the victim to provide unnecessary personal and account information.
That information is then covertly relayed to the attacker’s system. In banking
Trojans, web injects can be configured to identify specific banking websites, and
then inject content specifically referencing those banks.
VNC is a graphical desktop sharing system that gives users remote access to
another computer. For purposes of malware, VNCs establish a connection to the
victims’ computer, which gives the attacker the ability to perform any task as if the
attacker was physically present at the victim computer.
Kronos was configured to work on multiple internet browsers, including
Chrome, Internet Explorer, and Firefox. Once installed, it would communicate with
the attacker’s command-and-control computer, relaying stolen information,
downloading more malware, or performing any other malicious activity directed by
the attacker. After an attacker purchased the Kronos malware package from

6
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 6 of 13 Document 131

 Hutchins and Vinny, the attacker could deploy that malware in a variety of ways to
try to infect as many victim computers as desired.
UPAS worked in a manner similar to Kronos as a banking Trojan. An FBI
computer scientist who examined both UPAS and Kronos called Kronos an updated
version of UPAS with more features and further code development.
In 2012, Hutchins and Vinny (going by “Aurora123”), advertised UPAS Kit on
a hacking forum. The advertisement stated in relevant part: “Upas is a modular
hxxp bot, with was created with one aim—to save you some headaches. . . . In
general the system operates silently without alerting antivirus programs.” The
advertisement listed the many features of UPAS, including a USB spreader, FTP
grabber, form grabber, its ability to work on various internet browsers, and prices.
Later, in November 2012, Aurora123 advertised that UPAS was updated to include
webinjects. A confidential source working with the FBI purchased UPAS from
Aurora123 in 2012.
Starting in 2014, the FBI observed “Vinny” advertising Kronos in various
online forums dedicated to the sales of illegal goods and services. In 2014, an FBI
confidential source made contact with Vinny and chatted about Kronos’
functionality. Vinny directed the source to a video on YouTube that Vinny and
Hutchins used to promote sales of Kronos. The video walks through how to easily
operate the Kronos control panel, and then demonstrates how the malware collects
and stores user credentials after a visit to an Amazon account.

7
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 7 of 13 Document 131

 On June 11, 2015, an FBI source arranged the purchase of Kronos from
Vinny. After the transfer of funds was complete, Vinny configured the control panel
using domains that the source had provided to Vinny, and transferred the Kronos
code to the source. A few weeks later, Vinny contacted the source, asking how
Kronos was working and whether the source needed crypting services for Kronos.
“Crypting” is the process of scanning malware against antivirus tools to see if those
tools detect and block the malware. If the malware is blocked, the crypting service
makes custom changes to the malware code so that it appears as something benign
to the antivirus tools.
As Hutchins acknowledges, since 2014, Kronos has been used to infect
numerous computers around the world and steal banking information. See Doc.
#124 Att. A at 1. Reports of Kronos’ impact on banks in Europe were published back
in 2014. See, e.g., “New Banking Trojan ‘Kronos’ Attacks French Banks,” SC
Magazine UK, Aug. 5, 2014, available at https://www.scmagazineuk.com/newbanking-trojan-kronos-attacks-french-banks/article/1480575 (last visited July 19,
2019); see also “UK Banks Hit with New Zeus Sphinx Variant and Renewed Kronos
Banking Trojan Attacks,” Security Intelligence, Oct. 2, 2015, available at
https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-andrenewed-kronos-banking-trojan-attacks/ (last visited July 19, 2019).
Authorities in Poland identified Kronos as one of the top four banking
Trojans infecting Polish systems in 2014. Later reports noted Kronos’ impact on
other countries, including Canada and the United States. See “Banking Trojans go

8
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 8 of 13 Document 131

 Loonie for Toonies: Dridex, Vawtrak and Others Increase Focus on Canada,”
Proofpoint, June 29, 2016, available at https://www.proofpoint.com/us/threatinsight/post/banking-trojans-dridex-vawtrak-others-increase-focus-on-canada
(noting a spam attack in May 2016 that loaded Kronos, which was configured to
target U.S., Canadian, and Australian financial services websites).
Reports of Kronos infections continue through the present. See, e.g., “Kronos
Banking Trojan Used to Deliver New Point-of-Sale Malware,” ProofPoint, Nov. 15,
2016, available at https://www.proofpoint.com/us/threat-insight/post/kronos-bankingtrojan-used-to-deliver-new-point-of-sale-malware (last visited July 19, 2019); “Kronos
Reborn,” ProofPoint, July 24, 2018, available at https://www.proofpoint.com/us/threatinsight/post/kronos-reborn (last visited July 19, 2019). The Kelihos botnet, which
infected hundreds of thousands of victim computers, was observed loading Kronos on
computers through an email phishing campaign in late 2016. See, e.g., Arora, et. al.,
“Kelihos Botnet: A Never-Ending Saga,” Annual ADFSL Conf. on Digital Forensics,
Security and Law 2017, p. 18, available at
https://commons.erau.edu/cgi/viewcontent.cgi?article=1271&context=adfsl.
Leading international cyber security firms have reported hundreds of Kronos
alerts over the years. For instance, one leading firm detected more than 600 specific
instances of Kronos between 2014 and 2019 around the world, including more than
100 in the United States. The data shows the infections across many sectors,
including government, financial services, education, manufacturing, technology, and
transportation. Another international firm detected more than 200 different

9
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 9 of 13 Document 131

 variations of Kronos between 2014 and 2019, each variation potentially
representing numerous infected machines. The U.S. Department of Homeland
Security, Cybersecurity and Infrastructure Security Agency (CISA), reports that
Kronos botnets have had a modest presence since 2014 and remain active today.
CISA and a third-party firm observed thousands of alerts for Kronos between 2014
and 2019, with a significant increase between 2015 and 2017.2 See Exhibit A.3
C. History and characteristics of the defendant.
Marcus Hutchins is a young man with an obvious talent for coding.
Unfortunately, early on, he decided to use that talent to create devices with the sole
purpose of helping steal from innocent victims. He pursued that path because he
was greedy and thought he would make around $100,000 per year selling malware.
See Doc. #124 Att. A at 3. While records show that Vinny and Hutchins sold several
packages of malware, Hutchins later complained to a friend that, despite his best
efforts, he did not profit as much as he had hoped. Doc. #124 Att. A at 3.
Marcus Hutchins has since made a good decision to turn his talents toward
more positive ends. He has a job in which he focuses on detecting and combating
malware. And in May 2017, Hutchins helped stop the WannaCry ransomware
attack that was crippling computers around the world. For this act, Hutchins
rightly received international acclaim and notoriety. With this in mind, the

Reporting entities note that, due to the nature of the research topic, some false positives are
possible.
2

3

Exhibit A is a report produced by CISA providing general information regarding Kronos.

10
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 10 of 13 Document 131

 government made concessions in the plea agreement to Hutchins’ benefit, while still
holding him accountable for his criminal conduct.
Also to his credit, Hutchins has accepted responsibility for his illegal conduct
and timely entered a guilty plea. This decision was made after Hutchins pursued
and lost several pretrial motions to suppress evidence and dismiss counts, but his
decision to acknowledge guilt is undoubtedly a positive aspect for the Court to
consider.
D. Imposing a sentence that reflects the seriousness of the offense,
promotes respect for the law, and provides a measure of deterrence.
In considering the factors under 3553(a), the government believes that the
serious nature of the offense, the need to promote respect for the law, and the need
to provide a measure of deterrence to other malware developers are particularly
important.
It cannot be disputed that this offense is serious. Criminals who develop and
sell malware are at the root of computer hacking crimes. Careful development of
effective malware is a time consuming effort, demanding special skills possessed by
few people. By creating and selling sophisticated malware, actors like Hutchins
equip hackers with tools to cause extensive harm on a worldwide scale. For this
reason, law enforcement agencies dedicate substantial resources to identifying and
prosecuting malware developers, sellers, and users.
Hutchins and his partner dedicated years to developing, updating, and
selling dangerous malware to anyone who would buy it. They marketed the
malware specifically to criminals, using forums dedicated to illegal activities. The
11
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 11 of 13 Document 131

 central purpose of Hutchins’ malware was to invade privacy and steal things of
value from innocent victims. The malware was expensive and effective because it
could do this without being detected, and it was designed to be easy to use. Kronos
and UPAS logged the content of typed messages, as well as usernames and
passwords for all manner of accounts. Such sensitive information could be used to
spy on people, steal their identities, and worse. The malware was configured to
detect and target victims’ banking credentials, which could be used to steal victims’
life savings. That was, inevitably, the primary source of its value – it is why
Hutchins thought he would make a lot of money selling it.
Hutchins’ malware was purchased and used by hackers. Identifying
individual attackers and victims is necessarily difficult because, as noted, sales to
attackers were conducted through encrypted communications, the malware was
designed to be undetectable on victim computers, and Hutchins’ criminal conduct
took place while he resided in another country, using devices not recovered by law
enforcement. But, there is no confusion as to the criminal purpose behind the
development and distribution of UPAS and Kronos. The ramifications of Hutchins’
inventions are still being felt today.
By all accounts, Hutchins no longer produces malware and instead uses his
skills to combat malware attacks. This is a good thing. But that does not permit him
or anyone else to pretend his criminal conduct was insignificant. Like a man who
spent years robbing banks, and then one day came to realize that was wrong, and

12
Case 2:17-cr-00124-JPS Filed 07/22/19 Page 12 of 13 Document 131

 even worked to design better security systems, he deserves credit for his epiphany.
But he still bears responsibility for what he did.
Computer hacking has become a prevalent threat in all aspects of our society.
Hacking tools like Kronos and UPAS allow criminals of all skill levels to secretly
access, use, and sell victims’ personal information. The internet allows these
criminals to work remotely and anonymously, making it difficult for law
enforcement to identify and apprehend them. It is therefore important that, when
malware creators are identified, the public knows these individuals will be held
accountable for their actions.
III.

Conclusion
This case presents a unique mix of aggravating and mitigating circumstances

for the Court to consider in arriving at the appropriate sentence. Counsel for the
United States will have additional comments at the hearing.
Dated at Milwaukee, Wisconsin, this 22nd day of July 2019.
Respectfully submitted,
MATTHEW D. KRUEGER
United States Attorney
By:

s/ Benjamin Proctor
BENJAMIN PROCTOR
BENJAMIN TAIBLESON
Assistant United States Attorneys
Benjamin Proctor Bar No.: 1051904
Office of the United States Attorney
Eastern District of Wisconsin
517 E. Wisconsin Ave. Suite 530
Milwaukee, Wisconsin 53202
Tel: (414) 297-1700
Email: benjamin.proctor@usdoj.gov
13

Case 2:17-cr-00124-JPS Filed 07/22/19 Page 13 of 13 Document 131

 Kronos Trojan Still Active – June 2019
Kronos is a banking malware capable of intercepting web browsing data, injecting its own malicious
code into webpages, and downloading additional payloads, while also employing a user-mode rootkit
to hide its presence on an infected system.
The Department of Homeland Security and a trusted third party observed Kronos activity in the
United States from 2015 – 2019, with increases observed in mid-November 2016 and in quarter two of
2019. Additionally, a spike was observed on federal, state and local networks in quarter four of 2018.
It is noted by the trusted third party that it is possible some of the detections are false positives.

Observed Kronos Alerts from 2014 - 2019
2500

2000

1500

1000

500

0
2014

2015

2016

2017

2018

2019

2019-06-13

Case 2:17-cr-00124-JPS Filed 07/22/19 Page 1 of 5 Document 131-1

 MALWARE HISTORY
The Department of Homeland Security and trusted third parties first observed Kronos advertised
on an established Russian cyber-criminal forum by the actor "VinnyK" in June 2014. Like most new
banking Trojans to emerge, forum actors were skeptical of its reliability, particularly Russian speaking actors as VinnyK likely does not speak Russian and was new to the forum. However, it
appears that VinnyK commands an adept technical skillset and connections to well-known cyber
crime operators.
Kronos botnets have had a modest presence since its initial release in 2014 and are still active
today. More recent discussions on underground forums indicate that Kronos licenses cost $3,000
USD, a decrease from its initial price point of $7,000 USD. One Kronos botnet was observed
loading a new point-of-sale (POS) malware known as ScanPOS in November 2016. Currently, it
appears that several different actors are deploying and maintaining separate Kronos botnets.
Several malware customers have been identified hosting C&C on notorious bulletproof hosting
infrastructure.

TARGETING
Kronos malware is almost certainly being distributed by multiple customers and, therefore, financial
targeting is somewhat geographically distributed. For example, one Kronos botnet hosted on
Fluxxy revealed malware infecting hosts in Spain, Romania, Germany, Greece, and the U.S.,
though overall geographical targeting is more widespread than this. Campaigns have also been
observed targeting Canadian and Australian financial institutions. As seen in the below chart,
between 2014 – 2019 industries ranging from education, telcom, energy, healthcare and others
have been impacted the Kronos Trojan.

2019-06-13

Case 2:17-cr-00124-JPS Filed 07/22/19 Page 2 of 5 Document 131-1

 Currently, most Kronos campaign targeting appears to be opportunistic. However, it is noteworthy
that a Kronos campaign in 2016 – 2017 delivering ScanPOS appeared to specifically target retail
and hospitality sectors in the U.S.

Federal, State and Local Networks
According to a source with first hand access to the information, between the August of 2016 and
December of 2017, officials identified Kronos malware activity on U.S. State and local government
information systems.
Additionally, multiple states detected and reported cyber reconnaissance and intrusion activity
targeting their network that resolved to domains hosting a Kronos C2.
According to a trusted third party, an increase in Kronos alerts on Federal, State and Local
networks occurred in quarter 4 of 2018. (Figure 2)

Observed Kronos Alerts At Federal State and Local Networks
400
375
350
300
250
200
150
105

100

56

50
0

1
2016 Qtr3

8
2016 Qtr4

2017 Qtr2

2017 Qtr3

24
2017 Qtr4

29
10
2018 Qtr3

5
2018 Qtr4

2019 Qtr1

2019 Qtr2

2019 Increase at Education
According to a trusted third party, a large spike in Kronos traffic was observed within the education
sector, as noted by figure 4.

2019-06-13

Case 2:17-cr-00124-JPS Filed 07/22/19 Page 3 of 5 Document 131-1

 Kronos Alert Volume By Sector from 2016 - 2019
1400
1200
1000
800
600
400
200
0
2016

2017

2018

2019

Education

Financial Services

Government: Federal

Government: State & Local

Healthcare

High-Tech

Manufacturing

Service Provider

Services/Consulting

Telecom

Transportation

Other

MALWARE TECHNICAL OVERVIEW
Kronos is a banking malware capable of intercepting web browsing data, injecting its own
malicious code into webpages, and downloading additional payloads. The malware also employs
user-mode rootkit code to hide its presence on infected systems.
Upon initial execution, the malware injects its malicious content into a new svchost.exe process
and performs several anti-analysis checks. It collects a variety of system information to report back
to the C&C server. The original executable is copied into the %APPDATA%\Microsoft\<GUID>\
directory as a hidden file and an associated AutoRun key is generated for persistence.
A new thread is created for opening two sockets: one listening on localhost (127.0.0.1) port 32767
to receive the malware's webinject configuration and intercepted browsing traffic, while the other
listens on localhost port 32768 to forward intercepted data to a C&C server or its intended
destination after being injected. The local listeners create a proxy that allows the malware to
evaluate captured browser traffic, inject its own code into browser webpages, and forward stolen
browser data to a C&C server. While these port numbers are hardcoded in the malware, they are
incremented during execution as new connections from infected processes are created.
Next, an embedded DLL capable of stealing browsing data from popular browsers is loaded into
memory. The malware creates a new thread that injects the DLL into any instance of iexplore.exe,
chrome.exe, firefox.exe, or opera.exe. It hooks numerous specified functions, which allows the
malware to hijack browser socket connections and redirect their data to a local listener on a
specified port. Next, the malware begins hooking functions within browser and system DLLs based
on the process into which it was injected. Intercepted network traffic is directed to the local listening
port written to the DLL prior to its injection.
2019-06-13

Case 2:17-cr-00124-JPS Filed 07/22/19 Page 4 of 5 Document 131-1

 The injected svchost.exe process attempts to hide the existence of the malware on the system by
injecting user-mode rootkit shellcode into all running processes. The shellcode accomplishes this
by hooking several ntdll.dll functions. The hooking code hides the currently running malware
process, based on process ID, and other malware artifacts, such as registry keys used and the
location of the malware binary on disk.
The malware attempts to communicate with a C&C server every 10 seconds. Each C&C URL is
contacted up to three times. If a valid response is not received in three attempts, the next C&C
URL is contacted. This continues until the C&C list is exhausted or a valid C&C response is
received, at which point the malware sleeps for 15 minutes and begins this process again.
The malware decodes a C&C server's response using a single-byte XOR key found at offset 0x01
within the response.
Once the configuration is successfully downloaded from the C&C and written to disk, the malware
sends the plaintext configuration to its own socket listening on a localhost port. The decrypted
configuration likely contains webinject HTML code used to perform man-in-the-browser (MiTB)
attacks, which allow the malware to alter communications to webpages and steal browsing-related
information.

CONCLUSION
The Kronos Trojan has persisted globally from 2014 to 2019.

Observed Kronos Activity by Quarter from 2014 - 2019
1600
1489

1400
1268

1200
1000
800

858

793

749

600
433

400

266

200
0

75

33

28

74

129

36

349
139

6
4
2
1
2014 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2018 2018 2018 2019 2019
Qtr3 Qtr1 Qtr2 Qtr3 Qtr4 Qtr1 Qtr2 Qtr3 Qtr4 Qtr1 Qtr2 Qtr3 Qtr4 Qtr1 Qtr2 Qtr3 Qtr4 Qtr1 Qtr2

2019-06-13

Case 2:17-cr-00124-JPS Filed 07/22/19 Page 5 of 5 Document 131-1