We write about malware on a semi-frequent basis. Often the virus was no different than any other of the same breed, save for the depth or scale of damage caused. However, recent malware from Russia has proven to be one of a kind. It was unique for several dynamics, but the greatest being the dual functioning aspect of the malware. In addition to being the classic virus, the so-called “Nuke HTTP” bot is an anti-virus program—for itself.
According to information on virustotal, researchers first saw the bot in December 2016. Only recently has news about the malware hit the mainstream outlets. Researchers analyzed a sample version of Nuke, starting with the debugging string “E:\Nuclear\Bot\Release\Dropper.pdb.” The Nuke HTTP bot offered modular components, per trojan’s Russian vendor. Nuke starts at a low price, lower than that of Zeus or the Floki Bot, and features such as the “anti-virus” software simply add to the cost.
The vendor listed the Trojan as both nuke and nuclear. While researchers usually refer to the malware as the Nuke HTTP bot, the nuclear HTTP bot handle more commonly appeared on Russian forums. The listing additionally explained everything a buyer needed to know about the bot, including how to differentiate between Nuke and other, similar, pieces of malware on the market. Unlike others, the Russian vendor named Gosya said, Nuke needed none of the code used by Zeus or the Floki Bot. Many of the malware on the market or spotted in the wild simply used modified parts of the Zeus code.
How do I distinguish between your boat from all others on the market?
- [+] It is written entirely from scratch (no connection with the Zeus, Carberp, ISFB, etc)
- – parser (Json)
- – Inject (Chrome – ssl_write / read ## _ app_data without ssl_close || FF – Pr _ ## write / read without PrOpenTcpSocket / Pr_close)
- – Running (inject code) in the system is written without outsourcing
- [+] It is written in C <MSVC 2012> (Boat and all modules) + the PHP with PDO and the JS (Panel)
- [+] Fully compatible with all Windows NT family (x32 and the x64)
- [+] Do not attracted the attention of UAC or Windows Firewall
What I find modules in the first version of the bot?
- [+] Possibility to download and run the executable
- [+] Reverse SOCKS with back-Connect
- [+] form grabbing and Web-Inject (bypassing HTTP2 / SPDY) with support (Internet Explorer 611, Firefox 28 – 50, Chrome 50 – 55)
- – support “wildcard” in the parser (TP .facebook * *.)
- – parser is indeed very easy to use
- – Of Injection Size does not matter, you can pisaty it as you want
- – Can pisaty something more than one injects for each page
- – the same way no matter how many injects you polzevayti, speed browser / CPU all too most
Researchers mentioned that the full price of Nuke, with the SOCKS and endpoint bypassing modules, costs only $4,000. The “bot killer” is functionality packed into Nuke, according to Gosya. The vendor said that the basic version included that module. Gosya’s identity, as with most threat actors in this sector, remains unknown. The entity, according to those with knowledge in this area of cybersecurity, resided in the Moscow region and is not new to the scene, despite being relatively unknown.
Links to the two demo videos on VidMe.com: