win.tinynuke (Back to overview)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot
URLhaus      

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References
2019-12-17 ⋅ Brian Krebs
@online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } Nuclear Bot Author Arrested in Sextortion Case
TinyNuke Varenyky
2018-05-21 ⋅ JuniperPaul Kimayong
@online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } Nukebot Banking Trojan targeting people in France
TinyNuke
2018-02-02 ⋅ BitSightTiago Pereira
@online{pereira:20180202:break:b0556dc, author = {Tiago Pereira}, title = {{Break Out Of The Tinynuke Malware}}, date = {2018-02-02}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet}, language = {English}, urldate = {2020-01-06} } Break Out Of The Tinynuke Malware
TinyNuke
2017-07-19 ⋅ Kaspersky LabsSergey Yunakovsky
@online{yunakovsky:20170719:nukebot:cba3e87, author = {Sergey Yunakovsky}, title = {{The NukeBot banking Trojan: from rough drafts to real threats}}, date = {2017-07-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/}, language = {English}, urldate = {2019-12-20} } The NukeBot banking Trojan: from rough drafts to real threats
TinyNuke
2017-04-06 ⋅ KrebsOnSecurityBrian Krebs
@online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer
TinyNuke
2017-03-28 ⋅ SecurityIntelligenceLimor Kessem, Ilya Kolmanovich
@online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak
TinyNuke
2016-12-19 ⋅ NetScoutDennis Schwarz
@online{schwarz:20161219:dismantling:b7af8dd, author = {Dennis Schwarz}, title = {{Dismantling a Nuclear Bot}}, date = {2016-12-19}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/}, language = {English}, urldate = {2020-01-09} } Dismantling a Nuclear Bot
TinyNuke
Yara Rules
[TLP:WHITE] win_tinynuke_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 85c9 0f855effffff 8b44241c 8b0e }
            // n = 4, score = 1200
            //   85c9                 | test                ecx, ecx
            //   0f855effffff         | jne                 0xffffff64
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_1 = { 895c2410 8b4b0c 85c9 0f84a2000000 8b06 03c1 50 }
            // n = 7, score = 1200
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   85c9                 | test                ecx, ecx
            //   0f84a2000000         | je                  0xa8
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   03c1                 | add                 eax, ecx
            //   50                   | push                eax

        $sequence_2 = { 8944241c 2b5834 833f00 745f 8d4704 89442414 }
            // n = 6, score = 1200
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   2b5834               | sub                 ebx, dword ptr [eax + 0x34]
            //   833f00               | cmp                 dword ptr [edi], 0
            //   745f                 | je                  0x61
            //   8d4704               | lea                 eax, [edi + 4]
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_3 = { 83f808 7246 83c0f8 d1e8 89442410 ba00000000 7436 }
            // n = 7, score = 1200
            //   83f808               | cmp                 eax, 8
            //   7246                 | jb                  0x48
            //   83c0f8               | add                 eax, -8
            //   d1e8                 | shr                 eax, 1
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   ba00000000           | mov                 edx, 0
            //   7436                 | je                  0x38

        $sequence_4 = { 031e 8b0f 85c9 7440 7905 }
            // n = 5, score = 1200
            //   031e                 | add                 ebx, dword ptr [esi]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   85c9                 | test                ecx, ecx
            //   7440                 | je                  0x42
            //   7905                 | jns                 7

        $sequence_5 = { 83f803 7413 83f80a 7515 8b07 0306 }
            // n = 6, score = 1200
            //   83f803               | cmp                 eax, 3
            //   7413                 | je                  0x15
            //   83f80a               | cmp                 eax, 0xa
            //   7515                 | jne                 0x17
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0306                 | add                 eax, dword ptr [esi]

        $sequence_6 = { 0338 833f00 75a1 8b5e08 895c2410 8b4b0c }
            // n = 6, score = 1200
            //   0338                 | add                 edi, dword ptr [eax]
            //   833f00               | cmp                 dword ptr [edi], 0
            //   75a1                 | jne                 0xffffffa3
            //   8b5e08               | mov                 ebx, dword ptr [esi + 8]
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]

        $sequence_7 = { 8d442434 50 8d442428 50 8b4610 ffd0 8d442414 }
            // n = 7, score = 1200
            //   8d442434             | lea                 eax, [esp + 0x34]
            //   50                   | push                eax
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   50                   | push                eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   ffd0                 | call                eax
            //   8d442414             | lea                 eax, [esp + 0x14]

        $sequence_8 = { 8d8530f6ffff 50 6802020000 ff15???????? }
            // n = 4, score = 900
            //   8d8530f6ffff         | lea                 eax, [ebp - 0x9d0]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     

        $sequence_9 = { c70604000000 e8???????? eb18 83f803 7519 }
            // n = 5, score = 500
            //   c70604000000         | mov                 dword ptr [esi], 4
            //   e8????????           |                     
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3
            //   7519                 | jne                 0x1b

        $sequence_10 = { 6a2a 50 8945fc ff15???????? }
            // n = 4, score = 500
            //   6a2a                 | push                0x2a
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_11 = { 8b02 8a00 3c0a 7409 3c0d }
            // n = 5, score = 500
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb
            //   3c0d                 | cmp                 al, 0xd

        $sequence_12 = { 55 8bec 83ec0c 33c0 53 56 57 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_13 = { ff15???????? 8b35???????? 8d430c 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8d430c               | lea                 eax, [ebx + 0xc]
            //   50                   | push                eax

        $sequence_14 = { 0f856d010000 8d0476 5e 5f 8d044518500210 5b }
            // n = 6, score = 100
            //   0f856d010000         | jne                 0x173
            //   8d0476               | lea                 eax, [esi + esi*2]
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   8d044518500210       | lea                 eax, [eax*2 + 0x10025018]
            //   5b                   | pop                 ebx

        $sequence_15 = { 83c308 8954241c 8d54241c e8???????? 81fb6cc1e16e 72d2 }
            // n = 6, score = 100
            //   83c308               | add                 ebx, 8
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   e8????????           |                     
            //   81fb6cc1e16e         | cmp                 ebx, 0x6ee1c16c
            //   72d2                 | jb                  0xffffffd4

        $sequence_16 = { c7042488c0e16e e8???????? 6690 a1???????? 85c0 }
            // n = 5, score = 100
            //   c7042488c0e16e       | mov                 dword ptr [esp], 0x6ee1c088
            //   e8????????           |                     
            //   6690                 | nop                 
            //   a1????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_17 = { 5d c3 50 8bd3 8bcf }
            // n = 5, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   50                   | push                eax
            //   8bd3                 | mov                 edx, ebx
            //   8bcf                 | mov                 ecx, edi

        $sequence_18 = { e9???????? 89442404 c70424bcc0e16e e8???????? 90 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   c70424bcc0e16e       | mov                 dword ptr [esp], 0x6ee1c0bc
            //   e8????????           |                     
            //   90                   | nop                 

        $sequence_19 = { c744240400000000 e8???????? 83ec08 891c24 }
            // n = 4, score = 100
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   891c24               | mov                 dword ptr [esp], ebx

        $sequence_20 = { c704249014e06e e8???????? 83ec08 85c0 }
            // n = 4, score = 100
            //   c704249014e06e       | mov                 dword ptr [esp], 0x6ee01490
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_21 = { 89c7 8944241c 8b4050 8db708010000 890424 89442418 }
            // n = 6, score = 100
            //   89c7                 | mov                 edi, eax
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8b4050               | mov                 eax, dword ptr [eax + 0x50]
            //   8db708010000         | lea                 esi, [edi + 0x108]
            //   890424               | mov                 dword ptr [esp], eax
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_22 = { 5e c20c00 be1410e26e 81ee1410e26e c1fe02 85f6 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   c20c00               | ret                 0xc
            //   be1410e26e           | mov                 esi, 0x6ee21014
            //   81ee1410e26e         | sub                 esi, 0x6ee21014
            //   c1fe02               | sar                 esi, 2
            //   85f6                 | test                esi, esi

        $sequence_23 = { c7050000000000000000 0f0b c7042400000000 e8???????? }
            // n = 4, score = 100
            //   c7050000000000000000     | mov    dword ptr [0], 0
            //   0f0b                 | ud2                 
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     

    condition:
        7 of them
}
Download all Yara Rules