Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

NukeBot Source Code Leaked After Marketing Fail

The developer of the NukeBot banking Trojan has decided to release the malware’s source code after he failed to convince the cybercrime community that his creation is worth buying and that he is not a scammer.

The developer of the NukeBot banking Trojan has decided to release the malware’s source code after he failed to convince the cybercrime community that his creation is worth buying and that he is not a scammer.

NukeBot, also known as Nuclear Bot, was first advertised on underground cybercrime forums in early December 2016, when it had been offered for sale for $2,500.

However, NukeBot’s developer, a Russian-speaking individual who uses the online moniker “Gosya,” had a poor marketing strategy that led to him being banned from underground forums.

According to IBM X-Force researchers, Gosya was introduced to hacking forums by a known member, but he failed to follow some important rules. Experts said he immediately started advertising his creation, without gaining the trust of the marketplace’s administrators and without giving them the chance to certify his malware.

The developer of FlokiBot and other cybercriminals asked Gosya to prove the malware’s capabilities by providing technical details, but he became nervous and defensive. The members of cybercrime forums became even more suspicious when the NukeBot developer started advertising his product using different monikers on various websites. He even changed the malware’s name to Micro Banking Trojan before he was banned from forums.

In mid-March, Gosya decided to make the NukeBot source code public. While Gosya may have appeared to be a scammer, IBM has confirmed that NukeBot is a legitimate banking Trojan, and an analysis conducted by Arbor Networks in December showed that Gosya’s product did in fact work right from the start.

IBM said NukeBot is a modular Trojan that comes with a web-based administration panel and web injection capabilities. On the other hand, IBM said the malware is not capable of bypassing the company’s Trusteer Rapport product as claimed by Gosya.

The developer may have hoped that leaking the source code will give others the chance to test his creation. This could also be a good marketing move as his Trojan might not only be used in attacks, but it will likely be increasingly discussed on security blogs, experts said.

Advertisement. Scroll to continue reading.

“With yet another malware source code out in the open, the most likely scenario is that NukeBot code will be recompiled and used by botnet operators,” said Limor Kessem, executive security advisor at IBM. “Parts of it may be embedded into other malware codes, and we are likely to see actual NukeBot fraud attacks in the wild in the coming months.”

Related: Mirai Increasingly Used for DDoS Attacks After Source Code Leak

Related: Fully Operational TrickBot Banking Trojan Targets UK, Australia

Related: Source Code of Android Banking Trojan “GM Bot” Leaked

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.