SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinynuke (Back to overview)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot
URLhaus      

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References
2021-10-20AhnLabAhnLab ASEC Analysis Team
@online{team:20211020:vnc:b2f7937, author = {AhnLab ASEC Analysis Team}, title = {{VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group}}, date = {2021-10-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/27346/}, language = {English}, urldate = {2021-10-26} } VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group
TinyNuke
2019-12-17Brian Krebs
@online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } Nuclear Bot Author Arrested in Sextortion Case
TinyNuke Varenyky
2018-05-21JuniperPaul Kimayong
@online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } Nukebot Banking Trojan targeting people in France
TinyNuke
2018-02-02BitSightTiago Pereira
@online{pereira:20180202:break:b0556dc, author = {Tiago Pereira}, title = {{Break Out Of The Tinynuke Malware}}, date = {2018-02-02}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet}, language = {English}, urldate = {2020-01-06} } Break Out Of The Tinynuke Malware
TinyNuke
2017-07-19Kaspersky LabsSergey Yunakovsky
@online{yunakovsky:20170719:nukebot:cba3e87, author = {Sergey Yunakovsky}, title = {{The NukeBot banking Trojan: from rough drafts to real threats}}, date = {2017-07-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/}, language = {English}, urldate = {2019-12-20} } The NukeBot banking Trojan: from rough drafts to real threats
TinyNuke
2017-04-06KrebsOnSecurityBrian Krebs
@online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer
TinyNuke
2017-03-28SecurityIntelligenceLimor Kessem, Ilya Kolmanovich
@online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak
TinyNuke
2016-12-19NetScoutDennis Schwarz
@online{schwarz:20161219:dismantling:b7af8dd, author = {Dennis Schwarz}, title = {{Dismantling a Nuclear Bot}}, date = {2016-12-19}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/}, language = {English}, urldate = {2020-01-09} } Dismantling a Nuclear Bot
TinyNuke
Yara Rules
[TLP:WHITE] win_tinynuke_auto (20211008 | Detects win.tinynuke.)
rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.tinynuke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 55 8bec 817d0c00040000 }
            // n = 4, score = 1600
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   817d0c00040000       | cmp                 dword ptr [ebp + 0xc], 0x400

        $sequence_1 = { a3???????? 6a0c 68???????? 68???????? e8???????? }
            // n = 5, score = 1500
            //   a3????????           |                     
            //   6a0c                 | push                0xc
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_2 = { a3???????? 57 ff15???????? ff35???????? 8b7dfc 57 }
            // n = 6, score = 1400
            //   a3????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   57                   | push                edi

        $sequence_3 = { 8bec 817d0c00040000 7613 8b4508 }
            // n = 4, score = 1400
            //   8bec                 | mov                 ebp, esp
            //   817d0c00040000       | cmp                 dword ptr [ebp + 0xc], 0x400
            //   7613                 | jbe                 0x15
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_4 = { ff15???????? 6a04 5e 85c0 753c }
            // n = 5, score = 1400
            //   ff15????????         |                     
            //   6a04                 | push                4
            //   5e                   | pop                 esi
            //   85c0                 | test                eax, eax
            //   753c                 | jne                 0x3e

        $sequence_5 = { e8???????? 53 56 e8???????? 83c414 85c0 750a }
            // n = 7, score = 1400
            //   e8????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc

        $sequence_6 = { ff7508 ff15???????? 53 8bf0 8d45fc 50 ff750c }
            // n = 7, score = 1400
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_7 = { ff15???????? 68???????? ff15???????? 6a07 59 ff35???????? 33c0 }
            // n = 7, score = 1400
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a07                 | push                7
            //   59                   | pop                 ecx
            //   ff35????????         |                     
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 8d8530f6ffff 50 6802020000 ff15???????? 85c0 }
            // n = 5, score = 1400
            //   8d8530f6ffff         | lea                 eax, dword ptr [ebp - 0x9d0]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { ff35???????? ff75fc ff15???????? 56 8d45f8 }
            // n = 5, score = 1400
            //   ff35????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   56                   | push                esi
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]

        $sequence_10 = { ff75ec ff75fc e8???????? 83c40c 5f }
            // n = 5, score = 1300
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi

        $sequence_11 = { ff15???????? ff35???????? 8d85a4feffff 50 ff15???????? }
            // n = 5, score = 1300
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d85a4feffff         | lea                 eax, dword ptr [ebp - 0x15c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_12 = { ff75fc ff15???????? a3???????? ff35???????? }
            // n = 4, score = 1200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   a3????????           |                     
            //   ff35????????         |                     

        $sequence_13 = { 50 ff15???????? ff35???????? 8d85a8feffff 50 ff15???????? }
            // n = 6, score = 900
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d85a8feffff         | lea                 eax, dword ptr [ebp - 0x158]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_14 = { 59 a3???????? c9 c3 55 }
            // n = 5, score = 800
            //   59                   | pop                 ecx
            //   a3????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_15 = { ff15???????? ff35???????? ff7508 ff15???????? 68???????? ff7508 }
            // n = 6, score = 800
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_16 = { a3???????? ff35???????? ff75ec ff15???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     

        $sequence_17 = { a3???????? ff35???????? ff75f8 ff15???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     

        $sequence_18 = { 6a2a 50 8945fc ff15???????? }
            // n = 4, score = 800
            //   6a2a                 | push                0x2a
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_19 = { 8a00 3c0a 7409 3c0d 740f }
            // n = 5, score = 800
            //   8a00                 | mov                 al, byte ptr [eax]
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb
            //   3c0d                 | cmp                 al, 0xd
            //   740f                 | je                  0x11

        $sequence_20 = { c70604000000 e8???????? eb18 83f803 7519 ff7608 }
            // n = 6, score = 800
            //   c70604000000         | mov                 dword ptr [esi], 4
            //   e8????????           |                     
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3
            //   7519                 | jne                 0x1b
            //   ff7608               | push                dword ptr [esi + 8]

        $sequence_21 = { 83ec0c 33c0 53 56 57 }
            // n = 5, score = 200
            //   83ec0c               | sub                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_22 = { ff15???????? 8b35???????? 8d430c 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8d430c               | lea                 eax, dword ptr [ebx + 0xc]
            //   50                   | push                eax

        $sequence_23 = { 7416 60 8bb53cd9feff 8bbd40d9feff 8b8d44d9feff f3a4 61 }
            // n = 7, score = 100
            //   7416                 | je                  0x18
            //   60                   | pushal              
            //   8bb53cd9feff         | mov                 esi, dword ptr [ebp - 0x126c4]
            //   8bbd40d9feff         | mov                 edi, dword ptr [ebp - 0x126c0]
            //   8b8d44d9feff         | mov                 ecx, dword ptr [ebp - 0x126bc]
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   61                   | popal               

        $sequence_24 = { 8955e4 83c208 57 8945e8 8945f8 }
            // n = 5, score = 100
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   83c208               | add                 edx, 8
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_25 = { 8b7304 8b0b 83fa10 8d860000e06e }
            // n = 4, score = 100
            //   8b7304               | mov                 esi, dword ptr [ebx + 4]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   83fa10               | cmp                 edx, 0x10
            //   8d860000e06e         | lea                 eax, dword ptr [esi + 0x6ee00000]

        $sequence_26 = { 89c1 89d8 f7f1 89f0 83c301 83ec04 328248c0e16e }
            // n = 7, score = 100
            //   89c1                 | mov                 ecx, eax
            //   89d8                 | mov                 eax, ebx
            //   f7f1                 | div                 ecx
            //   89f0                 | mov                 eax, esi
            //   83c301               | add                 ebx, 1
            //   83ec04               | sub                 esp, 4
            //   328248c0e16e         | xor                 al, byte ptr [edx + 0x6ee1c048]

        $sequence_27 = { 8b8780000000 01d8 89442418 8b400c }
            // n = 4, score = 100
            //   8b8780000000         | mov                 eax, dword ptr [edi + 0x80]
            //   01d8                 | add                 eax, ebx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_28 = { 81fb00900100 75c9 a1???????? 05???????? 89c7 8944241c }
            // n = 6, score = 100
            //   81fb00900100         | cmp                 ebx, 0x19000
            //   75c9                 | jne                 0xffffffcb
            //   a1????????           |                     
            //   05????????           |                     
            //   89c7                 | mov                 edi, eax
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax

        $sequence_29 = { 8b049d1410e26e 85c0 7402 ffd0 83c301 39f3 75ec }
            // n = 7, score = 100
            //   8b049d1410e26e       | mov                 eax, dword ptr [ebx*4 + 0x6ee21014]
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   ffd0                 | call                eax
            //   83c301               | add                 ebx, 1
            //   39f3                 | cmp                 ebx, esi
            //   75ec                 | jne                 0xffffffee

        $sequence_30 = { 0fb710 89d1 c1fa0c 83fa03 750d 8b16 }
            // n = 6, score = 100
            //   0fb710               | movzx               edx, word ptr [eax]
            //   89d1                 | mov                 ecx, edx
            //   c1fa0c               | sar                 edx, 0xc
            //   83fa03               | cmp                 edx, 3
            //   750d                 | jne                 0xf
            //   8b16                 | mov                 edx, dword ptr [esi]

        $sequence_31 = { 891c24 89dd 8944240c 8b442418 89442404 e8???????? }
            // n = 6, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   89dd                 | mov                 ebp, ebx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     

        $sequence_32 = { 31ff 85ed 750c eb38 }
            // n = 4, score = 100
            //   31ff                 | xor                 edi, edi
            //   85ed                 | test                ebp, ebp
            //   750c                 | jne                 0xe
            //   eb38                 | jmp                 0x3a

    condition:
        7 of them and filesize < 1196032
}
Download all Yara Rules