On December 12th, a cybercriminal going by the moniker Gosya presented a new malware solution for sale, a Trojan with advanced capabilities by the name of Nuke (or Nuclear) HTTP Bot. He claims several advantages to his trojan, including being fully written from scratch (unlike malware such as Carberp and Gozi which are inspired by and based on top of the pertinacious Zeus trojan). The Trojan is capable of injecting code in Chrome and Firefox, fully supports 32-bit and 64-bit systems alike, and bypasses UAC and Windows Firewall executions.
Similar to other modern malware, Nuke HTTP Bot is modular, with a base package available to the botnet herder and additional modules that are sold for an extra fee. Some of the modules that are highlighted in Gosya’s announcement are:
SOCKS proxy module
Formgrabber and Web-Injection module
Remote EXE file launcher module
Hidden VNC module for WinXP-Win10
Rootkit for 32-Bit and 64-Bit machines
Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine, if any are present.
Nuke HTTP Bot boasts a fairly small file size of just 83kb uncompressed, and 54kb compressed. The detection rate at the moment of writing this article is extremely low as well. Gosya presented evidence supporting the fact the malware is currently undetected by mainstream AV engines.
Figure 1: AV test run by the fraudster known as Gosya on his malware, Nuke HTTP Bot
MD5: 4dd0368f65c8f63e2dc568bd6ef2c968 SHA1: f77a744ec8b433da3f713d5909498c9c55cdaef9
A test version was already found in the wild by Netscout’s Arbor Networks. The author went on and mentioned that he is aware of it. The analyzed variation was a test version of the malware. The current version, according to Gosya, has much of the inner workings changed since Arbor’s report was published.
As of this moment, the full version of the malware, including the bypass of popular endpoint protection solutions and SOCKS module costs just $4000 as part of a New Year’s sale initiated by Gosya.