An Uncommon Tale of a Failed Banking Trojan Vendor

In early December 2016, IBM X-Force researchers noticed the emergence of a new banking malware advertised for sale in a few underground boards. The malware’s vendor, who went by the online moniker Gosya, was a Russian-speaking member who introduced himself as the developer of Nuclear Bot, or NukeBot, a modular banking Trojan.

Considering the demand for commercially available malware in the cybercrime community, this malware should have been accepted very eagerly. But instead, its developer’s user account was banned from multiple forums. In March 2017, the source code was leaked, apparently by the developer himself.

What led to this leak, and what impact can we expect as a result?

Gosya Comes to Town

In cybercrime forums, and especially in the more closed and Russian-speaking communities, members earn credibility by following certain customary steps. To begin, they must be introduced by a known member and vetted by the community according to what they can offer. Most importantly, they must gain the trust of the administrators running the board.

When Gosya joined underground communities, he apparently did not follow all the customary steps. He was introduced by a known member but took some wrong turns from there.

Immediately upon joining, Gosya began advertising a new banking malware for sale. According to X-Force research observations, he did not have the malware tested and certified by forum admins, nor did he provide any test versions to members. At the same time, he was attacked by existing competition, namely the FlokiBot vendor, who wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s capabilities were indeed viable.

In posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among other forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.

For his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the malware’s name to Micro Banking Trojan in one last attempt to buy it a new life.

That was the point when Gosya was banned in the forums where he was attempting to sell his bot.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Was NukeBot Ever Real?

The notable part of this case is that NukeBot is an actual banking malware. It is a functional, modular Trojan that comes with a web-based admin panel to control infected endpoints. The malware is capable of webinjections and does not fall short of other, similar code by much.


Figure 1 NukeBot’s Web-Based Admin Panel

When NukeBot had a test server up, it was captured and analyzed by Arbor Networks, which blogged about it in December 2016. Based on this analysis, the malware was a functional and viable code from the get go.

IBM X-Force researchers also analyzed NukeBot, specifically because Gosya claimed it was able to circumvent IBM Security’s antifraud protection product, Trusteer Rapport. These claims were dispelled by X-Force, which determined that NukeBot did not affect Rapport at any point in its development. X-Force researchers also concluded that NukeBot was not a fake product and that its developer was not being taken seriously due to the way he introduced the malware, not because it was a hoax.

A Bruised Ego and a Malware Code Leak

Banned from the underground venues where he planned to sell NukeBot and distrusted by members of the cybercrime community, NukeBot’s developer was likely struggling to come to terms with months of hard work amounting to nothing.

In mid-March 2017, X-Force researchers noticed that NukeBot’s code was leaked in a web-based source code management platform and made available for anyone to pick it up. This move appears to have been the action of the developer, not an intentional leak by another party.

What could this mean? An educated guess would be that Gosya was disappointed with the distrust he faced in the underground and decided to release the main module of the malware for others to test and attest to.

In Gosya’s arguments with the FlokiBot developer, the latter boasted the number of Google results that appear when one searches the FlockiBot value. Gosya may think the malware will get picked up by more experienced operators and start appearing in attacks in the wild — and in additional security blogs.

With yet another malware source code out in the open, the most likely scenario is that NukeBot code will be recompiled and used by botnet operators. Parts of it may be embedded into other malware codes, and we are likely to see actual NukeBot fraud attacks in the wild in the coming months.

It’s also possible that Gosya will be readmitted to the same forums from which he was banned, this time as an authorized vendor. He may even deliver on previous promises to supply new modules for the malware.

Code Leaks Mean More Malware

We know from previous incidents, such as the Zeus, Gozi and Carberp leaks, that publicly available source code makes for more malware. This is often incorporated into existing projects. X-Force researchers noted that NukeBot is likely to see the same process take place in the wild, especially since its code is not copied from other leaked malware, per the developer’s claims.

At this time, NukeBot has not been detected in real-world attacks and does not have defined target lists. This situation is likely to change in the near future.

To help stop threats such as NukeBot before they ever cause damage, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints. Fighting evolving malware threats can be made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Consumers wishing to protect themselves from malware infections on endpoints and mobile devices are invited to read our best practices page.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today