Publication of NukeBot trojan’s source code leads to new ‘operational’ samples

But who is responsible for them?

David bisson
David Bisson
@
@DMBisson

Publication of NukeBot trojan's source code leads to new 'operational' samples

New “operational” samples of the NukeBot banking trojan have emerged months after its original creator published its source code.

NukeBot’s source code leak, which occurred in late March 2017, apparently attracted the attention of malware developers seeking to push out their own threats.

Kaspersky Lab’s Sergey Yunakovsky spotted some of those new samples in the wild. A few are “active,” but most of them only in a limited form. As Yunakovsky explains:

Sign up to our free newsletter.
Security news, advice, and tips.

“We managed to get our hands on a number of compiled samples of the Trojan. Most of them were of no interest, as they stated local subnet addresses or localhost/127.0.0.1 as the C&C address. Far fewer samples had ‘genuine’ addresses and were ‘operational’. The main functionality of this banking Trojan is to make web injections into specific pages to steal user data, but even from operational servers we only received ‘test’ injections that were included in the source code as examples.”

Test injections from the NukeBot source code.
Test injections from the NukeBot source code.

Most of the versions detected by Yunakovsky and his colleagues come with either plaintext or encrypted strings. From that data, Kaspersky Lab extracted NukeBot’s command and control (C&C) addresses. These assets send the malware a RC4 key for decrypting injections after the trojan has successfully established contact.

The web injections conducted by some of NukeBot’s “combat versions” reveal that the malware is mainly going after French and U.S. users’ banking credentials.

Fortunately, at most five percent of the samples detected by Kaspersky were combat-ready. But that doesn’t mean there could be more in the future. As Yunakovsky rightly notes:

“It is still unclear if these versions were created by a few motivated cybercriminals and the use of NukeBot will taper off soon, or if the source code has fallen into the hands of an organized group (or groups) and the number of combat-grade samples is set to grow.”

To guard their banking credentials against threats like NukeBot, it’s important that users install an anti-virus solution on their computers and exercise caution around suspicious links and email attachments.

You should also enable two-factor authentication (2FA) if it is available on your bank account. Some trojans can bypass this security feature, but doing so considerably raises the stakes of an attack beyond the interest or capabilities of ordinary computer criminals.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.