TinyNuke (Malware Family)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot

VTCollection URLhaus

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader

2022-03-21 ⋅ AhnLab ⋅ ASEC Analysis Team
BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke

2021-10-20 ⋅ AhnLab ⋅ ASEC Analysis Team
VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group
TinyNuke

2019-12-17 ⋅ Brian Krebs
Nuclear Bot Author Arrested in Sextortion Case
TinyNuke Varenyky

2018-05-21 ⋅ Juniper ⋅ Paul Kimayong
Nukebot Banking Trojan targeting people in France
TinyNuke

2018-02-02 ⋅ BitSight ⋅ Tiago Pereira
Break Out Of The Tinynuke Malware
TinyNuke

2017-07-19 ⋅ Kaspersky Labs ⋅ Sergey Yunakovsky
The NukeBot banking Trojan: from rough drafts to real threats
TinyNuke

2017-04-06 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer
TinyNuke

2017-03-28 ⋅ SecurityIntelligence ⋅ Ilya Kolmanovich, Limor Kessem
The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak
TinyNuke

2016-12-19 ⋅ NetScout ⋅ Dennis Schwarz
Dismantling a Nuclear Bot
TinyNuke

Yara Rules

[TLP:WHITE] win_tinynuke_auto (20230808 | Detects win.tinynuke.)

rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.tinynuke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 55 8bec 817d0c00040000 }
            // n = 4, score = 1600
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   817d0c00040000       | cmp                 dword ptr [ebp + 0xc], 0x400

        $sequence_1 = { 6aff ff7508 6a00 68e9fd0000 ff15???????? 8bc3 5b }
            // n = 7, score = 1400
            //   6aff                 | push                -1
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   68e9fd0000           | push                0xfde9
            //   ff15????????         |                     
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx

        $sequence_2 = { 7625 53 8b5d08 57 8b7d10 57 }
            // n = 6, score = 1400
            //   7625                 | jbe                 0x27
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   57                   | push                edi

        $sequence_3 = { ff35???????? a3???????? 57 ff15???????? ff35???????? 8b7dfc }
            // n = 6, score = 1400
            //   ff35????????         |                     
            //   a3????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]

        $sequence_4 = { 50 56 57 ff35???????? c745f801000000 }
            // n = 5, score = 1400
            //   50                   | push                eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff35????????         |                     
            //   c745f801000000       | mov                 dword ptr [ebp - 8], 1

        $sequence_5 = { 8d8530f6ffff 50 6802020000 ff15???????? 85c0 }
            // n = 5, score = 1400
            //   8d8530f6ffff         | lea                 eax, [ebp - 0x9d0]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 8945f4 8d85d4feffff 50 ff15???????? }
            // n = 4, score = 1400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8d85d4feffff         | lea                 eax, [ebp - 0x12c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 6a03 53 53 6800000080 50 ff15???????? a3???????? }
            // n = 7, score = 1400
            //   6a03                 | push                3
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6800000080           | push                0x80000000
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_8 = { ff75ec ff75fc e8???????? 83c40c 5f }
            // n = 5, score = 1300
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi

        $sequence_9 = { ff15???????? ff35???????? 8d85a4feffff 50 }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]
            //   50                   | push                eax

        $sequence_10 = { 8d85a4feffff 50 ff15???????? ff35???????? }
            // n = 4, score = 1300
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff35????????         |                     

        $sequence_11 = { ff15???????? a3???????? ff35???????? ff75f8 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_12 = { a3???????? 68e2010000 68???????? 68???????? e8???????? }
            // n = 5, score = 800
            //   a3????????           |                     
            //   68e2010000           | push                0x1e2
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_13 = { e8???????? eb18 83f803 7519 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3
            //   7519                 | jne                 0x1b

        $sequence_14 = { 59 a3???????? c9 c3 55 }
            // n = 5, score = 800
            //   59                   | pop                 ecx
            //   a3????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_15 = { 6a2a 50 8945fc ff15???????? }
            // n = 4, score = 800
            //   6a2a                 | push                0x2a
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_16 = { a3???????? ff35???????? ff75ec ff15???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     

        $sequence_17 = { 8a00 3c0a 7409 3c0d }
            // n = 4, score = 800
            //   8a00                 | mov                 al, byte ptr [eax]
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb
            //   3c0d                 | cmp                 al, 0xd

        $sequence_18 = { 50 8d85f0fdffff 50 ff15???????? ff75fc 8d85f0fdffff }
            // n = 6, score = 700
            //   50                   | push                eax
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]

        $sequence_19 = { ff15???????? 8d85d0fcffff 50 e8???????? 59 }
            // n = 5, score = 700
            //   ff15????????         |                     
            //   8d85d0fcffff         | lea                 eax, [ebp - 0x330]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_20 = { ff15???????? 8b35???????? 8d430c 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8d430c               | lea                 eax, [ebx + 0xc]
            //   50                   | push                eax

        $sequence_21 = { 8b0f 85c9 742a 8d440b02 85c9 }
            // n = 5, score = 100
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   85c9                 | test                ecx, ecx
            //   742a                 | je                  0x2c
            //   8d440b02             | lea                 eax, [ebx + ecx + 2]
            //   85c9                 | test                ecx, ecx

        $sequence_22 = { 8b44241c 8bb0a0000000 2b6834 01de 8b16 85d2 }
            // n = 6, score = 100
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8bb0a0000000         | mov                 esi, dword ptr [eax + 0xa0]
            //   2b6834               | sub                 ebp, dword ptr [eax + 0x34]
            //   01de                 | add                 esi, ebx
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   85d2                 | test                edx, edx

        $sequence_23 = { 8bb90000e06e 0f848e000000 83fa20 0f84f0000000 83fa08 0f84b4000000 }
            // n = 6, score = 100
            //   8bb90000e06e         | mov                 edi, dword ptr [ecx + 0x6ee00000]
            //   0f848e000000         | je                  0x94
            //   83fa20               | cmp                 edx, 0x20
            //   0f84f0000000         | je                  0xf6
            //   83fa08               | cmp                 edx, 8
            //   0f84b4000000         | je                  0xba

        $sequence_24 = { 890424 89442418 e8???????? 89c3 }
            // n = 4, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   e8????????           |                     
            //   89c3                 | mov                 ebx, eax

        $sequence_25 = { ffd6 57 53 ffd6 5f 5e 8bc3 }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8bc3                 | mov                 eax, ebx

        $sequence_26 = { 8b06 85c0 75b7 8b7c241c 8b8780000000 }
            // n = 5, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   75b7                 | jne                 0xffffffb9
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   8b8780000000         | mov                 eax, dword ptr [edi + 0x80]

        $sequence_27 = { c744240840000000 891c24 89dd 8944240c 8b442418 89442404 e8???????? }
            // n = 7, score = 100
            //   c744240840000000     | mov                 dword ptr [esp + 8], 0x40
            //   891c24               | mov                 dword ptr [esp], ebx
            //   89dd                 | mov                 ebp, ebx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     

        $sequence_28 = { 745c 01d8 890424 e8???????? 83ec04 89c6 }
            // n = 6, score = 100
            //   745c                 | je                  0x5e
            //   01d8                 | add                 eax, ebx
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   89c6                 | mov                 esi, eax

        $sequence_29 = { a1???????? 83c014 03c7 894df8 8945f4 7417 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   83c014               | add                 eax, 0x14
            //   03c7                 | add                 eax, edi
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   7417                 | je                  0x19

        $sequence_30 = { 03c7 83f864 0f873f010000 8b45c0 8b7dbc }
            // n = 5, score = 100
            //   03c7                 | add                 eax, edi
            //   83f864               | cmp                 eax, 0x64
            //   0f873f010000         | ja                  0x145
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   8b7dbc               | mov                 edi, dword ptr [ebp - 0x44]

        $sequence_31 = { c744241000000000 c744240c50c30000 c744240850c30000 c744240400000000 e8???????? }
            // n = 5, score = 100
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c50c30000     | mov                 dword ptr [esp + 0xc], 0xc350
            //   c744240850c30000     | mov                 dword ptr [esp + 8], 0xc350
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1196032
}

Download all Yara Rules

TinyNuke Propose Change

References

Yara Rules

TinyNuke