Some opportunistic criminals have put the leaked source code for the Nukebot banking Trojan to use, targeting banks in the United States and France with variants of the malware, while another group has adapted it to steal mail client and browser passwords.
The leak was disclosed in early March when the malware’s author, a hacker known as Gosya, posted a link to the source code download in a number of black market forums.
Researchers at Kaspersky Lab today said they have a number of compiled samples of Nukebot created since the leak, many of which appear to be test samples.
“Most of them were of no interest, as they stated local subnet addresses or ‘localhost/127.0.0.1’ as the C&C address,” said Kaspersky Lab malware analyst Sergey Yunakovsky. “Far fewer samples had ‘genuine’ addresses and were ‘operational.'”
Of the compiled samples, Yunakovsky said around five percent were being used in attacks, and it’s unknown yet whether a few scattered criminals are using the code, or whether it’s in the hands of an organized group.
Of those used in attacks, Yunakovsky said that an analysis of the web injections in the code indicate an interest in compromising banks in France and the U.S.
Some of the test samples Kaspersky Lab has in its possession are plain-text strings, and researchers were able to extract command and control addresses and other data used in analysis from the malware. The operational versions of Nukebot, however, were encrypted, requiring researchers to first extract the keys in order to establish the string values, Yunakovsky said.
“In order to trigger web injections, we had to imitate interaction with C&C servers. The C&C addresses can be obtained from the string initialization procedure,” Yunakovsky said. “When first contacting a C&C, the bot is sent an RC4 key which it uses to decrypt injections. We used this simple logic when implementing an imitation bot, and managed to collect web injections from a large number of servers.
“Initially, the majority of botnets only received test injects that were of no interest to us,” Yunakovsky said. Later, however, we identified a number of NukeBot’s ‘combat versions.'”
Some modified versions of Nukebot did not have web injections, Yunakovsky said. Those instead are spread via droppers, and after they’re unpacked, the malware downloads a number of password recovery utilities from a remote server under the attacker’s control.
IBM, in late March, disclosed the Nukebot leak, and pointed out that Gosya had likely shared the source code because the author had lost trust in underground forums.
Gosya made some immediate missteps, IBM’s Limor Kessem and Ilya Kolmanovich said, starting with him putting the malware up for sale before it was verified by forum administrators. Attempts to soothe things over in the forum failed, IBM said, and soon Gosya was banned outright when it was discovered he was selling the malware on different forums under a different name (Micro Banking Trojan).
“When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess,” Kessem and Kolmanovich wrote.
Nukebot appeared in December 2016 on the underground. The banking malware not only arrived fashioned with web injects for a number of financials institutions, but also included man-in-the-browser functionality, according to researchers from Arbor Networks. IBM said the malware was well designed to steal banking login data.