Weaponized TinyNuke Malware Samples Appear Three Months After Source Code Leak

The story of the TinyNuke banking Trojan (a.k.a. NukeBot or Nuclear Bot) is filled with so many twists, turns, frustrated people, and individuals with nefarious motives, that it could easily serve as a plot for a Hollywood drama. The trouble is, it's unlikely to have a happy ending, especially for regular computer users.

Apparently, the Trojan was created by a French teenager called Augustin Inzirillo. In an interview with Brian Krebs, he said that the purpose of the project was to defeat IBM's Trusteer Rapport, a security solution used by a number of banks across the globe. He claimed that he had no intention of attacking regular users and said that after he developed the malware, he got in touch with IBM. Apparently, however, the technology company simply redirected him to technical support agents that had no intention of helping him disclose the problem responsibly.

Eager to show what his creation can do, Inzirillo shared some samples with "friends." One of those friends was Gosya, a Russian individual according to researchers. Gosya apparently thought that he can make some quick and easy money from TinyNuke and he took to the underground forums with the intention of selling samples for $2,500 a pop.

Fortunately, Gosya wasn't an experience malware vendor. He didn't provide underground marketplace administrators with samples so that they can test them, and when other threat actors asked about the Trojan's functionality, his answers were inadequate. Eventually, the black hat community's patience ran out, and Gosya was banned.

The underground forum users weren't the only ones upset with Gosya. Augustin Inzirillo was quite angry about the fact that his "friend" was trying to profit off of his hard work as well. For some reason, he decided that the best way to stop this is to publish the source code on GitHub. Realizing that this would have the nasty side effect of threat actors having access to the Trojan for free, he decided to delete the repository a couple of days later, but before he could do that, someone had already copied the code.

As a result, right now, around three months later, compiled TinyNuke samples are flying around. Kaspersky's experts analyzed some of them, and one of the first things they pointed out is that for the time being at least, things aren't that terrible. In most of the samples they captured, the Command and Control (C&C) server's IP address was set to the local subnet (127.0.0.1). Without a functioning C&C, TinyNuke doesn't work.

This suggests that the majority of the threat actors who have their hands on the source code are just testing the malware at the moment. There are some, however, who have already weaponized it.

Some of the black hats actively deploying the Trojan have implemented a few obfuscation techniques. In these versions of TinyNuke, much of the code is encrypted, and as soon as the malware makes its way to a host computer, it contacts its C&C server and waits for an RC4 key which decrypts the strings and allows the infection to continue. Needless to say, this makes researchers' job harder, but fortunately, Kaspersky's experts wrote some scripts that helped them see what TinyNuke's new operators are after.

The Trojan still relies on web injects which are sent by the C&C. In the beginning, Kaspersky's imitation bot received test injects only, but later, the servers started sending real ones. The working samples are primarily targeting customers of financial institutions in the United States and France.

The researchers did notice, however, that the code had been extensively modified in some of the variants. In a few of the samples, the Trojan came with no web inject functionality at all and instead stole login credentials from browsers and email clients.

Different threat actors have different needs, and experiments with TinyNuke's source code are likely to continue, especially if the malware is as good as Augustin Inzirillo says it is. For the time being, the number of working samples is relatively small, but people shouldn't forget that it could grow quickly.