|(pc-Google images/ Trojan NukeBot)|
The leaked source code for the Nukebot banking Trojan has been used to target banks in the United States and France with variants of the malware. Another group has also adapted it to steal mail client and browser passwords.
The leak was disclosed in early March when the malware’s author, a hacker known as Gosya, posted a link to the source code download in a number of black market forums.
Researchers at Kaspersky Lab have said that they have a number of compiled samples of Nukebot created since the leak, many of which appear to be test samples.
“Most of them were of no interest, as they stated local subnet addresses or ‘localhost/127.0.0.1’ as the C&C address,” said Kaspersky Lab malware analyst Sergey Yunakovsky. “Far fewer samples had ‘genuine’ addresses and were ‘operational.”
Of the compiled samples, Yunakovsky said around five percent were being used in attacks.
Of those used in attacks, Yunakovsky said that an analysis of the web injections in the code indicate an interest in compromising banks in France and the U.S.
“In order to trigger web injections, we had to imitate interaction with C&C servers. The C&C addresses can be obtained from the string initialization procedure,” Yunakovsky said. “When first contacting a C&C, the bot is sent an RC4 key which it uses to decrypt injections. We used this simple logic when implementing an imitation bot, and managed to collect web injections from a large number of servers.
IBM, in late March, disclosed the Nukebot leak, and pointed out that Gosya had likely shared the source code because the author had lost trust in underground forums.