Banking Trojan NukeBot: First Tests

London, UK – July 20, 2017 – NukeBot’s author published its source code in the Darknet this spring. Since then various modifications of NukeBot banking Trojan began to appear on the Internet. Researchers from Kaspersky Lab have analyzed NukeBot modifications they found in recent months and shared the results. Most versions of NukeBot make web injections into pages to steal user data. After activation, the Trojan communicates with the C2 server and receives RC4-key for decrypting the injections. So far, the information discovered by researchers suggests that the first attacks were conducted against American and French banks.

Now it is difficult to say what future awaits NukeBot: whether a wave of attacks with its modifications will start, or it will be forgotten soon because of the appearance of more effective tools in the adversaries’ arsenal. Perhaps the development of this malware may go away from the web-based injections, as some of the detected modifications were designed to steal browser and mail client passwords, and they had to download additional tools from remote servers.

Due to possible alterations in the source code of NukeBot, not all antiviruses will be able to recognize it, it can prove to be a very effective tool in targeted attacks on organizations. If you use SIEM systems ArcSight, QRadar or Splunk in your organization, you can register in the S.M.A. cloud and choose use cases that will help your security technologies detect most of the possible threats, as well as reduce the number of false positives and false negatives.