Security Experts:

NukeBot Source Code Leaked After Marketing Fail

The developer of the NukeBot banking Trojan has decided to release the malware’s source code after he failed to convince the cybercrime community that his creation is worth buying and that he is not a scammer.

NukeBot, also known as Nuclear Bot, was first advertised on underground cybercrime forums in early December 2016, when it had been offered for sale for $2,500.

However, NukeBot’s developer, a Russian-speaking individual who uses the online moniker “Gosya,” had a poor marketing strategy that led to him being banned from underground forums.

According to IBM X-Force researchers, Gosya was introduced to hacking forums by a known member, but he failed to follow some important rules. Experts said he immediately started advertising his creation, without gaining the trust of the marketplace’s administrators and without giving them the chance to certify his malware.

The developer of FlokiBot and other cybercriminals asked Gosya to prove the malware’s capabilities by providing technical details, but he became nervous and defensive. The members of cybercrime forums became even more suspicious when the NukeBot developer started advertising his product using different monikers on various websites. He even changed the malware’s name to Micro Banking Trojan before he was banned from forums.

In mid-March, Gosya decided to make the NukeBot source code public. While Gosya may have appeared to be a scammer, IBM has confirmed that NukeBot is a legitimate banking Trojan, and an analysis conducted by Arbor Networks in December showed that Gosya’s product did in fact work right from the start.

IBM said NukeBot is a modular Trojan that comes with a web-based administration panel and web injection capabilities. On the other hand, IBM said the malware is not capable of bypassing the company’s Trusteer Rapport product as claimed by Gosya.

The developer may have hoped that leaking the source code will give others the chance to test his creation. This could also be a good marketing move as his Trojan might not only be used in attacks, but it will likely be increasingly discussed on security blogs, experts said.

“With yet another malware source code out in the open, the most likely scenario is that NukeBot code will be recompiled and used by botnet operators,” said Limor Kessem, executive security advisor at IBM. “Parts of it may be embedded into other malware codes, and we are likely to see actual NukeBot fraud attacks in the wild in the coming months.”

Related: Mirai Increasingly Used for DDoS Attacks After Source Code Leak

Related: Fully Operational TrickBot Banking Trojan Targets UK, Australia

Related: Source Code of Android Banking Trojan "GM Bot" Leaked

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.