A revamped version of the Nukebot banking trojan dubbed Jimmy Nukebot has shifted focus from stealing bankcard data and now acts as a conduit for quietly downloading malicious payloads for web-injects, cryptocurrency mining, and taking screenshots of targeted systems.
According to Kasperky Lab’s analysis of Jimmy Nukebot, the authors “seriously rewrote the Trojan” with the main body restructured and functions moved to the malware’s modules. Nukebot, also known as Nuclear Bot, surfaced on underground marketplaces in December. At the time, the Trojan was packed with a host of commands, a man-in-the-browser functionality and the ability to download web-injects from its command and control server.
With this latest version, “one small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings,” wrote Kaspersky Lab malware analyst Sergey Yunakovsky in a technical report posted Tuesday. “In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names).”
Yunakovsky said this new approach makes static analysis of Jimmy Nukebot complicated. “For example, to identify which detected process halts the Trojan operation, it’s necessary to calculate the checksums from a huge list of strings, or to bruteforce the symbols in a certain length range,” he wrote.
This differs from the the similar NeutrinoPOS Trojan that uses two different algorithms to calculate checksums for the names of API calls, libraries and for the strings.
“In Jimmy, only one algorithm is used for these purposes – a slight modification of CalcCS from NeutrinoPOS. The final XOR with the fixed two-byte value was added to the pseudo-random generator,” wrote Yunakovsky.
Since the leak of Nukebot earlier this year, opportunistic criminals compiled several variants of Nukebot. In July, Kaspersky Lab reported many early samples appeared to be test samples with only about five percent used in actual attacks. At the time, Kaspersky Lab said it was unclear if a few scattered criminals were behind the variants or an organized group.
With the latest Jimmy Nukebot variant, “the Trojan has completely lost the functionality for stealing bank card data from the memory of an infected device; now, its task is limited solely to receiving modules from a remote node and installing them into the system,” the researcher said.
Those modules range from web-injects, mining and a large number of updates for the main module in various droppers. “The miner is designed to extract the Monero currency (XMR). In the module code there is an identifier associated with a wallet for which the crypto currency is extracted, as well as the address of the pool,” according to Kaspersky Lab.
Researchers said the web-inject modules target Chrome, Firefox and Internet Explorer, and are able to perform functions similar to those in NeutrinoPOS, such as take screenshots and “raise” proxy servers. “These modules are distributed in the form of libraries and their Internet Explorer functions vary depending on the name of the process in which they are located,” Kaspersky Lab reported.
Yunakovsky said the Jimmy Nukebot sample is an “excellent example of what can be done with the source code of a quality trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source.”