CYBER NEWS

The Many Faces of the Jimmy Nukebot Trojan


A new variant of the Jimmy Nukebot banking Trojan has surfaced on the web with a fundamental difference in having shifted its priorities from stealing bank card data to acting as a conduit for downloading malicious payloads for web-injects, crypto currency mining and taking screenshots of targeted systems.

Jimmy Nukebot Trojan Now Able to Change Its Goals and Tasks

The Nukebot Trojan is back under the guise of its old persona, but the role it plays this times has drastically changed. The latest variant of the source code of Nukebot since it was leaked is a modification of the old Nukebot malware source code that was discovered in underground marketplaces in December 2016.

Related Story: BankBot Android Trojan Targets 428 Legitimate Banking Apps

The authors of the new code have severely altered its content, having moved the functions to the malware’s modules and fully restructuring the main body. At the time of discovering the Nukebot, the Trojan was jam-packed with a host of commands and features, the ability to download web-injects from its command and control server, as well as a man-in-the-browser functionality. Researchers have highlighted that the new variant utilizes a small but significant difference in comparison to its predecessor, that difference being in the calculation of checksums from the names of API functions/libraries and strings. In the case of its predecessor, the checksums are used so to find necessary API calls; on the other hand, the new variant uses checksums to compare strings, i.e., commands, process names, etc.

The new approach has given researchers a bit of a headache, making it more complicated to conduct a static analysis on the Trojan. One example of the kind of complications it is causing is if we try to identify which detected process stops the Trojan operation, meaning it is necessary to calculate the checksums from a massive list of strings or to rearrange the symbols in a particular length range.

New Functionalities of the Nukebot

This new approach differs from the similar NeutrinoPOS Trojan which uses two different algorithms to calculate checksums for the names of API calls, libraries and also for the strings. Nukebot for example only uses one algorithm for these purposes, a small modification of CaIcCS from NeutrinoPOS with the final XOR with a fixed two-byte value was added to the pseudorandom generator.

New variants of the Nukebot have been springing up throughout the year, providing opportunistic criminals with a variety of variants at their disposal. However, most variants have been observed to be acting as test sample with around 5 percent of all variants used in attacks. The latest Jimmy Nukebot Trojan has also lost one of its previous core features, that is its functionality for stealing bank card data from the memory of an infected device. The Trojan’s new functionalities have been reduced and limited in scope, with its primary task now is to receive modules from a remote node and proceed to install them on to the device’s system.

Related Story: Dridex Trojan Uses New Zero-Day Exploit in Latest Attacks

The modules are separated into different categories ranging from web-injects, mining and a large number of updates to the main module in various droppers. The “miner” feature is designed to obtain the Monero currency (XMR). Within the module code, there is an identifier that is associated with a wallet in which case the cryptocurrency is extracted in addition to the address of the pool.

According to researchers, the web-inject modules are designed to target Chrome, Firefox, and Internet Explorer with the ability to perform functions similar to those in NeutrinoPOS, e.g., take “raise” proxy servers or take screenshots. The distribution of the modules consists of them being in the form of libraries as well as their Internet Explorer functions varying mainly depending on the name of the process in which they are located in.


To stay protected against threats such as the Nukebot, utilizing a powerful anti-malware solution is a must.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Kristian Iliev

Kristian Iliev

Second year student at The University of Edinburgh studying Social Anthropology and Social Policy. Avid enthusiast of anything to do with IT, films and watch repairs.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...