The author behind NukeBot, a modular banking Trojan, released source code for the malware earlier this month in an apparent effort to regain the trust of the cybercrime community.
Gosya, NukeBot’s creator, posted a GitHub link to the malware, calling it a “zeus-like banking trojan,” on several underground forums two weeks ago. Researchers with IBM’s X-Force Research team suggested this week the move may have been done as an act of reverse retribution of sorts.
Limor Kessem and Ilya Kolmanovich, researchers with IBM, said Tuesday that Gosya made some missteps when it came to marketing the Trojan that may have left him no other option than to leak the code.
While hackers conventionally have their malware verified by forum admins, Gosya began peddling the Trojan immediately upon joining one forum. He also “got nervous and defensive, raising suspicion among other forum members” when he replied to questions about NukeBot. Perhaps an even graver faux pas, Gosya elected to sell the same malware on different forums under different names.
“When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess,” Kessem and Kolmanovich wrote.
Gosya even changed the name of NukeBot to Micro Banking Trojan, something that didn’t help either – it got him outright banned from forums.
NukeBot, also known as Nuclear Bot, first surfaced on underground marketplaces back in December. Researchers with Arbor Networks were among the first to dissect the Trojan and claimed it was replete with commands, a man-in-the-browser functionality, and the ability to download webinjects from its command and control server.
When X-Force analyzed NukeBot, also in December, researchers said the malware could be considered an “HTTP bot” that can steal login data on the fly.
Arbor claimed at the time it was too soon to say how active and widespread it could become, but acknowledged the fact that it was fetching roughly $2,500 – more than twice the level of Flokibot, another Trojan that was circulating around the same time – was bound to scare off potential buyers.
Despite all the commotion, NukeBot was legitimate, researchers claim. IBM’s researchers didn’t provide a technical breakdown of the malware – Kessem said researchers did not see it in live campaigns or attacks – but acknowledged Tuesday it came with a web-based admin panel to control infected endpoints and web injections.
Gosya, in several posts on forums, claimed the malware, now named TinyNuke, comes with a handful of other features as well:
- A formgrabber and webinjects for Firefox, IE, and Chrome
- x86 and x64 browsers
- Reverse SOCKS 4
- HNVC like Hidden Desktop
- 32kb binary with obfuscated strings
The fact that Gosya’s efforts to sell the malware landed flat likely prompted him to leak it in its entirety.
“An educated guess would be that Gosya was disappointed with the distrust he faced in the underground and decided to release the main module of the malware for others to test and attest to,” Kessem said.
Now that code for the malware is in the wild, Kessem claims it’s only a matter of time until its modified and propagates further. She says the most likely scenario is that the code is recompiled, used by botnet operators, and embedded into other malware codes. While there haven’t been any real-world attacks yet, that’s likely to change soon.
“We think every code leak results in a possibility that attackers will harness and fine tune it,” Kessem told Threatpost Thursday, “We believe this situation will be very similar.”
That said, it remains to be seen what the true outcome of the code being leaked will be. Source code for the Carberp Trojan was leaked online in the summer of 2013; code for the Zeus crimeware kit was leaked years prior, in May 2011.
Attackers managed to modify Zeus in due time, adding new web injects, customized modules, and a new command and control server communication medium: Tor.
More recently, last year, code for the Gozi Trojan and the Nymaim Trojan was leaked online. Once in the wild, criminals melded the two together to create GozNym. Once deployed, attackers leveraged the Trojan to make off with $4 million, primarily from business banking institutions, credit unions and retail banks, last spring.