Improved Nukebot malware modifies its targets and develops new features

by Lucia Danes - -

An improved version of the Nukebot Trojan, also known as Jimmy Nukebot, has modified its focus and features. Until now, the Virus used to steal bank card information, but from now on it aims to secretly download malicious payloads in order to mine Cryptocurrency, download web-injects, and take screenshots of focused systems.[1]

Improved Nukebot malware modifies its targets and develops new features

The updated code of the Nukebot malware was detected in March, 2017; and it is the most recent adjusted version of the virus detection since the coke leak.

Kaspersky Lab reports that “The Trojan was seriously rewritten” – the main body of the Virus was restructured and all of the features were transferred to the malware’s modules. The Nukebot, also called Nuclear Bot, appeared on hidden marketplaces in December, 2016. At first, the Trojan appeared stuffed with various of commands, the capability to download web-injects and man-in-the-browser competence.

The updated version of the Trojan diverses from the old one with its “calculation of checksums from the names of API functions or/and libraries and strings”, states Sergey Yunakovsky, Kaspersky Lab malware analyst, in his latest report. In addition, he states that checksums are used to detect the particular API signals in the first case, while in the second case, checksums find the comparison of strings, including commands and process names.

The malware analyst also adds that the adjusted approach complicates the static analysis of the Nukebot.

Yanukovsky reports that the identification of detected process, which suspends the Trojan operations, requires to calculate the checksums from a number of strings or extort the symbols in a particular class range.

In contrast, the comparable NeutrinoPOS Trojan applies two variant algorithms to calculate checksums.Yanukovsky states that Nukebot uses only one algorithm to calculate checksums for the names of API signals, libraries and for strings. The pseudo-random generator was finished with the final XOR whose fixed value is two bytes.

Cybercriminals have assembled a few variations of the Nukebot since its leak in March. In July, 2017, Kaspersky Lab announced a number of test samples. Only a few of them (about 5%) were used in cyber attacks. Kaspersky Lab couldn’t specify if those attacks were organized by a few scattered hackers or an organized group.

The most recent Nukebot version has lost its functionality and capability to steal the credit card data from an infected computer or mobile device. This Nukebot aims to receive modules from a remote component and launch them into the system.

These modules vary from mining, web-injects and a tons of updates for the basic module in range of droppers. “The miner is designed to extract the Monero currency (XMR). In the module code there is an identifier associated with a wallet for which the crypto currency is extracted, as well as the address of the pool,” was stated by Kaspersky Lab.

Researchers also claim that these web-injects target Web browsers including Firefox, Chrome, and Explorer. The Nukebot is capable to implement NeutrinoPOS and take screenshots, as well as “raise” proxy servers. In addition, “These modules are distributed in the form of libraries and their Internet Explorer functions vary depending on the name of the process in which they are located,” Kaspersky Lab reported.

According to the S. Yunakovsky, Jimmy Nukebot is a perfect example to show the power of the source code and how capable it is to adjust to a quality Trojan.

About the author

Lucia Danes
Lucia Danes - Malware and spyware analyst

Lucia Danes is a news editor at She is extremely passionate when it comes to helping people deal with various online threats, so she wants her articles to be understood even by those with no IT background.

Contact Lucia Danes
About the company Esolutions


now online
Like us on Facebook