Threat Management, Incident Response, Malware, TDR

NukeBot banking malware author leaks code to salvage cybercrime forum cred

The author of a powerful banking trojan has leaked his own source code in order to get back into the good graces of the greater cybercrime community, which shunned him for breaches of rules and etiquette on cybercrime forums, IBM's X-Force threat research team has reported.

The botnet, known as Nuclear Bot or NukeBot, is modular trojan featuring a web-based admin panel for control of infected endpoints. A recent analysis from Sixgill found that the malware injects code in Chrome and Firefox, includes a rootkit for 32-bit and 64-bit machines, and bypasses User Account Control and Windows Firewall executions.

First spotted for sale on cybercrime forums last December, NukeBot has not yet been detected in real-world attacks, but the wide release of its code will likely result in cybercriminals using the malware in attacks and embedding it in other malicious programs, IBM warned in a Tuesday blog post.

According to the report, earlier this year Goysa and his product were banned from a number of cybercrime forums after violating various codes of conduct. Among Goysa's reported infractions: He failed to have the malware tested and certified by forum admins,did not provide test versions to members, and provided unconvincing answers to technical questions. Forum members became convinced that he was a scammer after he tried to sell his product on more than one forum and then later tried to reintroduce his malware under a new name, Micro Banking Trojan, in hopes that it would be better received.

However, despite Goysa's dubious missteps, the malware was no hoax, reported IBM, who researchers discovered in mid-March that NukeBot's code was made freely available via a web-based source code management platform.

"This move appears to have been the action of the developer, not an intentional leak by another party," the blog post stated. "What could this mean? An educated guess would be that Gosya was disappointed with the distrust he faced in the underground and decided to release the main module of the malware for others to test and attest to."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.