The NeutrinoPOS banking trojan, a constantly evolving malware thanks to its source code having been posted online last spring, has a new form, ominously dubbed Jimmy Nukebot.
Interestingly, it’s no longer in the banking business. Rather, it’s designed to help bad actors do so much more.
“The authors seriously rewrote the trojan—the main body was restructured, the functions were moved to the modules,” explained Kaspersky Lab researcher Sergey Yunakovsky, in an analysis. “The trojan has completely lost the functionality for stealing bank-card data from the memory of an infected device; now, its task is limited solely to receiving modules from a remote node and installing them into the system.”
Those modules contain the payloads, which notably include web injects (which can perform functions similar to those in NeutrinoPOS, like taking screenshots, setting up proxy servers and so on); and a large number of updates for the main module in various droppers.
Mounir Hahad, senior director of Cyphort Labs, noted that if it goes undetected, this new variant of NeutrinoPOS will be able to act as a backdoor into the organization. “[That means] allowing monitoring of user actions and exfiltration of any data the bad actors can lay their hands on,” he said, via email. “Given that it can install newly downloaded modules at will, the sky is the limit as to what it can be commandeered to do.”
Another payload is a miner that extracts the virtual Monero currency (XMR) using compromised machines.
Of interest is the trajectory that Jimmy Nukebot demonstrates for malware: This spring, the author of the NukeBot banking Trojan published the source code of his creation, resulting in this latest iteration some months later (it has probably been active since early July).
“It is an excellent example of what can be done with the source code of a quality trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” said Yunakovsky.
Josh Mayfield, platform specialist, Immediate Insight at FireMon, told us that the modification affords the trojan an opportunity to learn versus instantly executing malicious behavior (e.g. data theft)—which is a significant development.
“This is the quintessential algorithmic process pairing of explore and exploit,” he said. “Computational models have these pair running simultaneously to maximize effects and outcomes. We humans have this function in our neural system as well. Every time you’re deciding what to have for dinner, you are computing – exploring options, exploiting the knowledge to maximize the outcome. Jimmy is doing the same thing…This function allows Jimmy to gather information, be self-referential, and run through what it has explored for later use and exploitation.”
He added that historically, the attacker community would take advantage of widely applicable weaknesses and immediately went to exploitation. Jimmy on the other hand takes note of the information it receives from a given specified target and tailors its payload to that specific environment.
“End user education is a critical in the evolving landscape of trojans like Jimmy,” said Mayfield. “The average person is not going to be as well-informed about the threats or problems they face. It is important to make users aware that these things exist, they can cause damage and simple measures can be taken. End users do not readily see the need for things like two-factor authentication, regular password resets, password complexity standards and so on. Awareness of just how dangerous the world can be, can help them to take their medicine.”