In May 2015, clients of a large Russian bank received emails requiring them to urgently provide a bank account statement to tax authorities. The letters were disguised as a legitimate bank message. However, the taxes.exe file, which was delivered to the victims, contained the Kronos banking Trojan. After installation, the virus stole money using fake web pages (web injects) in the browser, when a user attempted to perform transactions on online banking pages.
Through investigative activities, Group-IB specialists gained access to the Kronos control panel. Stolen money appeared to be transferred to the accounts of two Russian companies. There is a hypothesis that the funds were then cashed out by 'mules' and transferred to another country.