An Uncommon Tale of a Failed Banking Trojan Vendor

In early December 2016, IBM X-Force researchers noticed the emergence of a new banking malware advertised for sale in a few underground boards. The malware’s vendor, who went by the online moniker Gosya, was a Russian-speaking member who introduced himself as the developer of Nuclear Bot, or NukeBot, a modular banking Trojan.

Considering the demand for commercially available malware in the cybercrime community, this malware should have been accepted very eagerly. But instead, its developer’s user account was banned from multiple forums. In March 2017, the source code was leaked, apparently by the developer himself.

What led to this leak, and what impact can we expect as a result?

Gosya Comes to Town

In cybercrime forums, and especially in the more closed and Russian-speaking communities, members earn credibility by following certain customary steps. To begin, they must be introduced by a known member and vetted by the community according to what they can offer. Most importantly, they must gain the trust of the administrators running the board.

When Gosya joined underground communities, he apparently did not follow all the customary steps. He was introduced by a known member but took some wrong turns from there.

Immediately upon joining, Gosya began advertising a new banking malware for sale. According to X-Force research observations, he did not have the malware tested and certified by forum admins, nor did he provide any test versions to members. At the same time, he was attacked by existing competition, namely the FlokiBot vendor, who wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s capabilities were indeed viable.

In posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among other forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.

For his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the malware’s name to Micro Banking Trojan in one last attempt to buy it a new life.

That was the point when Gosya was banned in the forums where he was attempting to sell his bot.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Was NukeBot Ever Real?

The notable part of this case is that NukeBot is an actual banking malware. It is a functional, modular Trojan that comes with a web-based admin panel to control infected endpoints. The malware is capable of webinjections and does not fall short of other, similar code by much.

Figure 1 NukeBot’s Web-Based Admin Panel

When NukeBot had a test server up, it was captured and analyzed by Arbor Networks, which blogged about it in December 2016. Based on this analysis, the malware was a functional and viable code from the get go.

IBM X-Force researchers also analyzed NukeBot, specifically because Gosya claimed it was able to circumvent IBM Security’s antifraud protection product, Trusteer Rapport. These claims were dispelled by X-Force, which determined that NukeBot did not affect Rapport at any point in its development. X-Force researchers also concluded that NukeBot was not a fake product and that its developer was not being taken seriously due to the way he introduced the malware, not because it was a hoax.

A Bruised Ego and a Malware Code Leak

Banned from the underground venues where he planned to sell NukeBot and distrusted by members of the cybercrime community, NukeBot’s developer was likely struggling to come to terms with months of hard work amounting to nothing.

In mid-March 2017, X-Force researchers noticed that NukeBot’s code was leaked in a web-based source code management platform and made available for anyone to pick it up. This move appears to have been the action of the developer, not an intentional leak by another party.

What could this mean? An educated guess would be that Gosya was disappointed with the distrust he faced in the underground and decided to release the main module of the malware for others to test and attest to.

In Gosya’s arguments with the FlokiBot developer, the latter boasted the number of Google results that appear when one searches the FlockiBot value. Gosya may think the malware will get picked up by more experienced operators and start appearing in attacks in the wild — and in additional security blogs.

With yet another malware source code out in the open, the most likely scenario is that NukeBot code will be recompiled and used by botnet operators. Parts of it may be embedded into other malware codes, and we are likely to see actual NukeBot fraud attacks in the wild in the coming months.

It’s also possible that Gosya will be readmitted to the same forums from which he was banned, this time as an authorized vendor. He may even deliver on previous promises to supply new modules for the malware.

Code Leaks Mean More Malware

We know from previous incidents, such as the Zeus, Gozi and Carberp leaks, that publicly available source code makes for more malware. This is often incorporated into existing projects. X-Force researchers noted that NukeBot is likely to see the same process take place in the wild, especially since its code is not copied from other leaked malware, per the developer’s claims.

At this time, NukeBot has not been detected in real-world attacks and does not have defined target lists. This situation is likely to change in the near future.

To help stop threats such as NukeBot before they ever cause damage, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints. Fighting evolving malware threats can be made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Consumers wishing to protect themselves from malware infections on endpoints and mobile devices are invited to read our best practices page.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…