Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Jimmy Banking Trojan Reuses NukeBot Code

A recently discovered modification of the Neutrino banking Trojan reuses parts of the NukeBot source code that was made publicly available earlier this year, Kaspersky Lab researchers discovered.

A recently discovered modification of the Neutrino banking Trojan reuses parts of the NukeBot source code that was made publicly available earlier this year, Kaspersky Lab researchers discovered.

Dubbed Jimmy, the newly discovered malware shows close resemblance to NeutrinoPOS, but features a restructured main body, with functions moved to modules. Because of this change, the new Trojan no longer includes the functionality for stealing bank card data from the memory of an infected device, but is limited to receiving modules from a remote server and installing them.

The malware is able to conduct an extended scan of an infected host, including both checks inherited from Neutrino and the examination of its own name. Furthermore, using the assembly command cpuid, the threat retrieves information about the processor and compares it with checksums it contains.

Overall, however, the Trojan has been seriously rewritten, Kaspersky says: “One small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names). This approach makes static analysis much more complicated.”

While NeutrinoPOS uses two algorithms to calculate checksums for the names of API calls, libraries and strings, Jimmy has only one algorithm for all these purposes. However, the communication protocol with the command and control server remained unchanged, the researchers say.

A closer analysis of the Trojan reveals that the payload is included in the modules the main body receives. The modules include web-injects and mining capabilities for the Monero currency (XMR). Monero has become very popular with malware writers lately, and is even mined by SambaCry.

DiscordiaMiner, which had its source code made publicly available by the author for reasons similar to those that prompted the NukeBot developer to do the same (mainly to avoid accusations of fraud), also focused on mining Monero.

Jimmy’s mining module includes an identifier for a wallet for which the crypto currency is extracted, and the address of the pool, and Kaspersky was able to use these to determine that the Trojan started the mining operations close to its early July proliferation date.

In addition to being able to inject code into web pages, the web-inject modules can also take screenshots, create proxy servers, and perform other nefarious operations, similar to those in NeutrinoPOS. The modules are distributed in the form of libraries and feature different functions, based on the name of the process in which they are located.

Similar to NeutrinoPOS, Jimmy also stores a number of parameters in the registry. The researchers explain that they also managed to retrieve a test sample of the web injects, and that future iterations of the malware might “acquire ‘combat’ versions.”

Kaspersky also compared the restored code of Jimmy with the source code of NukeBot and discovered that they completely coincide in some instances. Thus, it’s clear that the author reused the code to build their own version of the malware.

“In isolation from the previous modifications, the newly created Jimmy would not be of much interest to researchers. However, in this context, it is an excellent example of what can be done with the source code of a quality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” Kaspersky concludes.

In an emailed comment to SecurityWeek, AlienVault security advocate Javvad Malik pointed out the risks posed by the availability of malware source code: “Once such Trojans or malware go open source, it has two main impacts. Firstly, it increases in popularity and use. But with this, the chances of it being detected and prevented by security tools also increases; so, the second impact is that others will increasingly modify the malware in order to bypass security controls. Organizations should invest in security technologies that are constantly updated with threat intelligence so that they can better detect and respond to new threats as they emerge.”

Related: NeutrinoPoS – Old Trojan Shifts to New Targets

Related: NukeBot Source Code Leaked After Marketing Fail

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...