The Nuclear Bot banking trojan reportedly injects code in Chrome and Firefox, includes a rootkit for 32-bit and 64-bit machines, and bypasses User Account Control and Windows Firewall executions.
The Nuclear Bot banking trojan reportedly injects code in Chrome and Firefox, includes a rootkit for 32-bit and 64-bit machines, and bypasses User Account Control and Windows Firewall executions.

The author of a powerful banking trojan has leaked his own source code in order to get back into the good graces of the greater cybercrime community, which shunned him for breaches of rules and etiquette on cybercrime forums, IBM's X-Force threat research team has reported.

The botnet, known as Nuclear Bot or NukeBot, is modular trojan featuring a web-based admin panel for control of infected endpoints. A recent analysis from Sixgill found that the malware injects code in Chrome and Firefox, includes a rootkit for 32-bit and 64-bit machines, and bypasses User Account Control and Windows Firewall executions.

First spotted for sale on cybercrime forums last December, NukeBot has not yet been detected in real-world attacks, but the wide release of its code will likely result in cybercriminals using the malware in attacks and embedding it in other malicious programs, IBM warned in a Tuesday blog post.

According to the report, earlier this year Goysa and his product were banned from a number of cybercrime forums after violating various codes of conduct. Among Goysa's reported infractions: He failed to have the malware tested and certified by forum admins,did not provide test versions to members, and provided unconvincing answers to technical questions. Forum members became convinced that he was a scammer after he tried to sell his product on more than one forum and then later tried to reintroduce his malware under a new name, Micro Banking Trojan, in hopes that it would be better received.

However, despite Goysa's dubious missteps, the malware was no hoax, reported IBM, who researchers discovered in mid-March that NukeBot's code was made freely available via a web-based source code management platform.

"This move appears to have been the action of the developer, not an intentional leak by another party," the blog post stated. "What could this mean? An educated guess would be that Gosya was disappointed with the distrust he faced in the underground and decided to release the main module of the malware for others to test and attest to."