December 25, 2016by Cybersixgill

A New Threat Emerges from the Russian Cybercrime Underground

On December 12th, a cybercriminal going by the moniker Gosya presented a new malware solution for sale, a Trojan with advanced capabilities by the name of Nuke (or Nuclear) HTTP Bot. He claims several advantages to his trojan, including being fully written from scratch (unlike malware such as Carberp and Gozi which are inspired by and based on top of the pertinacious Zeus trojan). The Trojan is capable of injecting code in Chrome and Firefox, fully supports 32-bit and 64-bit systems alike, and bypasses UAC and Windows Firewall executions.

Similar to other modern malware, Nuke HTTP Bot is modular, with a base package available to the botnet herder and additional modules that are sold for an extra fee. Some of the modules that are highlighted in Gosya’s announcement are:

SOCKS proxy module

Formgrabber and Web-Injection module

Remote EXE file launcher module

Hidden VNC module for WinXP-Win10

Rootkit for 32-Bit and 64-Bit machines

Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine, if any are present.

Nuke HTTP Bot boasts a fairly small file size of just 83kb uncompressed, and 54kb compressed. The detection rate at the moment of writing this article is extremely low as well. Gosya presented evidence supporting the fact the malware is currently undetected by mainstream AV engines.

Figure 1: AV test run by the fraudster known as Gosya on his malware, Nuke HTTP Bot

MD5: 4dd0368f65c8f63e2dc568bd6ef2c968 SHA1: f77a744ec8b433da3f713d5909498c9c55cdaef9

A test version was already found in the wild by Netscout’s Arbor Networks. The author went on and mentioned that he is aware of it. The analyzed variation was a test version of the malware. The current version, according to Gosya, has much of the inner workings changed since Arbor’s report was published.

As of this moment, the full version of the malware, including the bypass of popular endpoint protection solutions and SOCKS module costs just $4000 as part of a New Year’s sale initiated by Gosya.

You may also like

Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Two cybersecurity professionals looking at a laptop

May 01, 2024

State of the Underground 2024: Combating RisePro, Lumma, Vidar, and other top stealer malware

Read more

March 14, 2023

Powerful new ‘stealc’ malware builds buzz on the underground

Read more