win.tinynuke (Back to overview)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot
URLhaus      

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596
https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702
https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/
https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/
https://krebsonsecurity.com/tag/nuclear-bot/
Yara Rules
[TLP:WHITE] win_tinynuke_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 6a00 6a01 51 03c1 }
            // n = 4, score = 8000
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   51                   | push                ecx
            //   03c1                 | add                 eax, ecx

        $sequence_1 = { 83500400 eb07 8b07 0306 }
            // n = 4, score = 8000
            //   83500400             | adc                 dword ptr [eax + 4], 0
            //   eb07                 | jmp                 0x199132
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0306                 | add                 eax, dword ptr [esi]

        $sequence_2 = { 8d442424 50 8b4614 6a00 }
            // n = 4, score = 8000
            //   8d442424             | lea                 eax, dword ptr [esp + 0x24]
            //   50                   | push                eax
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   6a00                 | push                0

        $sequence_3 = { 72ca 8b442414 0338 833f00 }
            // n = 4, score = 8000
            //   72ca                 | jb                  0x199103
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   0338                 | add                 edi, dword ptr [eax]
            //   833f00               | cmp                 dword ptr [edi], 0

        $sequence_4 = { 8d442420 50 8b461c ffd0 }
            // n = 4, score = 8000
            //   8d442420             | lea                 eax, dword ptr [esp + 0x20]
            //   50                   | push                eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   ffd0                 | call                eax

        $sequence_5 = { 8b44241c 8b0e 8b4028 6a00 }
            // n = 4, score = 8000
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b4028               | mov                 eax, dword ptr [eax + 0x28]
            //   6a00                 | push                0

        $sequence_6 = { 83c704 8903 8b0f 83c304 }
            // n = 4, score = 8000
            //   83c704               | add                 edi, 4
            //   8903                 | mov                 dword ptr [ebx], eax
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   83c304               | add                 ebx, 4

        $sequence_7 = { 8b7508 57 8b1e 8b7e04 }
            // n = 4, score = 8000
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b1e                 | mov                 ebx, dword ptr [esi]
            //   8b7e04               | mov                 edi, dword ptr [esi + 4]

        $sequence_8 = { eb07 8b07 0306 011c08 }
            // n = 4, score = 8000
            //   eb07                 | jmp                 0x199132
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0306                 | add                 eax, dword ptr [esi]
            //   011c08               | add                 dword ptr [eax + ecx], ebx

        $sequence_9 = { 8b5c2410 83c314 895c2410 8b4b0c }
            // n = 4, score = 8000
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   83c314               | add                 ebx, 0x14
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]

    condition:
        7 of them
}
Download all Yara Rules