Thursday, March 30, 2017

Nuclear Bot (Nuke Bot) Code Leaked Online

A couple of months back Arbornetworks done analysis of nuclear bot under title, dismantling a nuclear bot. We already analysed malware abusing swift banking. That time it was mentioned as a new banking trojan module and appeared in sale on underground hacking forums at the price of $2.5K. They analyzed the following sample: https://www.virustotal.com/en/file/ff83aaa74ec364f4c2403409a28df93ef97e8a61ba79fdb1c94d7081f48e794e/analysis/1490938720/
This is where that sample ping back. And we also checked anything interesting apart from the analysis made Arbornetworks. We found the sample variant have anti analysis modules like analysis aware strings:







This week the source code of the nuclear bot (nuke bot) leaked in online code sharing platform. The author made the code available on the net due to the distrust of the hacking community members. Members of underground forum treated the authors as just like spammer, due to the lack of free trial of the module for premium members.


Important samples seen in the wild:
https://www.virustotal.com/en/file/ff83aaa74ec364f4c2403409a28df93ef97e8a61ba79fdb1c94d7081f48e794e/analysis/1490938720/
https://www.virustotal.com/en/file/53af22828a2a1190105c6846ae9e32ab6ce87388b77838d456432ee6e9de7343/analysis/1490938116/
https://www.virustotal.com/en/file/25a361f297c6d399410b47af5504f4bb2c9327de55168a31154fbee21fa4b186/analysis/1490938074/


Popular AV detection:
a variant of Win32/Agent.YOB
Trojan-Banker.Win32.Nuclear.a
Trojan.Win32.Nuclear.ekazpz
TR/Spy.Banker.qexzn




Post created by
newWorld
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...