Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Jimmy Banking Trojan Reuses NukeBot Code

A recently discovered modification of the Neutrino banking Trojan reuses parts of the NukeBot source code that was made publicly available earlier this year, Kaspersky Lab researchers discovered.

A recently discovered modification of the Neutrino banking Trojan reuses parts of the NukeBot source code that was made publicly available earlier this year, Kaspersky Lab researchers discovered.

Dubbed Jimmy, the newly discovered malware shows close resemblance to NeutrinoPOS, but features a restructured main body, with functions moved to modules. Because of this change, the new Trojan no longer includes the functionality for stealing bank card data from the memory of an infected device, but is limited to receiving modules from a remote server and installing them.

The malware is able to conduct an extended scan of an infected host, including both checks inherited from Neutrino and the examination of its own name. Furthermore, using the assembly command cpuid, the threat retrieves information about the processor and compares it with checksums it contains.

Overall, however, the Trojan has been seriously rewritten, Kaspersky says: “One small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names). This approach makes static analysis much more complicated.”

While NeutrinoPOS uses two algorithms to calculate checksums for the names of API calls, libraries and strings, Jimmy has only one algorithm for all these purposes. However, the communication protocol with the command and control server remained unchanged, the researchers say.

A closer analysis of the Trojan reveals that the payload is included in the modules the main body receives. The modules include web-injects and mining capabilities for the Monero currency (XMR). Monero has become very popular with malware writers lately, and is even mined by SambaCry.

DiscordiaMiner, which had its source code made publicly available by the author for reasons similar to those that prompted the NukeBot developer to do the same (mainly to avoid accusations of fraud), also focused on mining Monero.

Jimmy’s mining module includes an identifier for a wallet for which the crypto currency is extracted, and the address of the pool, and Kaspersky was able to use these to determine that the Trojan started the mining operations close to its early July proliferation date.

Advertisement. Scroll to continue reading.

In addition to being able to inject code into web pages, the web-inject modules can also take screenshots, create proxy servers, and perform other nefarious operations, similar to those in NeutrinoPOS. The modules are distributed in the form of libraries and feature different functions, based on the name of the process in which they are located.

Similar to NeutrinoPOS, Jimmy also stores a number of parameters in the registry. The researchers explain that they also managed to retrieve a test sample of the web injects, and that future iterations of the malware might “acquire ‘combat’ versions.”

Kaspersky also compared the restored code of Jimmy with the source code of NukeBot and discovered that they completely coincide in some instances. Thus, it’s clear that the author reused the code to build their own version of the malware.

“In isolation from the previous modifications, the newly created Jimmy would not be of much interest to researchers. However, in this context, it is an excellent example of what can be done with the source code of a quality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” Kaspersky concludes.

In an emailed comment to SecurityWeek, AlienVault security advocate Javvad Malik pointed out the risks posed by the availability of malware source code: “Once such Trojans or malware go open source, it has two main impacts. Firstly, it increases in popularity and use. But with this, the chances of it being detected and prevented by security tools also increases; so, the second impact is that others will increasingly modify the malware in order to bypass security controls. Organizations should invest in security technologies that are constantly updated with threat intelligence so that they can better detect and respond to new threats as they emerge.”

Related: NeutrinoPoS – Old Trojan Shifts to New Targets

Related: NukeBot Source Code Leaked After Marketing Fail

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.