A modification of the Neutrino malware has been discovered by security researchers. The Trojan has been modified to put its functions into modules to make analysis much more difficult.
Dubbed Jimmy Nukebot by Kaspersky Lab researcher Sergey Yunakovsky, the Trojan has undergone an extensive rewrite by the author. Yunakovsky noted that one small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names).
“This approach makes static analysis much more complicated: for example, to identify which detected process halts the Trojan operation, it’s necessary to calculate the checksums from a huge list of strings, or to bruteforce the symbols in a certain length range. NeutrinoPOS uses two different algorithms to calculate checksums for the names of API calls, libraries and for the strings,” he said.
He added that the malware has completely lost the functionality for stealing bank card data from the memory of an infected device; now, its task is limited solely to receiving modules from a remote node and installing them into the system.
These modules contain the payload, according to the researcher. There were new modules for web-injects, mining and a large number of updates for the main module in various droppers. The miner is designed to extract the Monero currency (XMR). The web-inject modules are so called for their primary intended use, although they are also able to perform functions similar to those in NeutrinoPOS, ie, take screenshots, “raise” proxy servers, etc.
“These modules are distributed in the form of libraries and their functions vary depending on the name of the process in which they are located,” said Yunakovsky.
The researcher added that in isolation from the previous modifications, the newly created Jimmy would not be of much interest to researchers.
“However, in this context, it is an excellent example of what can be done with the source code of a quality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” he added.
Javvad Malik, security advocate at AlienVault, told SC Media UK that this spring, the author of the NukeBot banking Trojan published the source code of his creation. Once such Trojans, or malware go open source, it has two main impacts.
“Firstly, it increases in popularity and use. But with this, the chances of it being detected and prevented by security tools increases; so, the second impact is that others will increasingly modify the malware in order to bypass security controls,” he said.
“Organisations should invest in security technologies that are constantly updated with threat intelligence so that they can better detect and respond to new threats as they emerge.”
Tony Rowan, chief security consultant at SentinelOne, told SC Media UK that this is clearly a move to react to the advances in detection methods that have been made.
“The obfuscation of API calls is an attempt to complicate detection by forms of static analysis which have an element of reliance of understanding the system calls that a code contains. In this respect, it has the capacity to bypass some of the newest detection techniques. Also, the code has been redesigned to make it a capable of deploying new modules at will and this feature alone means that a successful infection has the capacity to carry out a very wide range of malicious actions,” he said.
Josh Mayfield, platform specialist, Immediate Insight at FireMon, told SC Media UK that ultimately, Jimmy is a code sequence. “Organisations can take advantage of threat intelligence to gain insight into what’s possible in their environments. Then, security teams can survey the environment to cross-reference where Jimmy could be hiding – threat hunting,” he said.
“Secondly, organisations can ‘Red Team’ these situations by taking advantage of Jimmy for themselves. By using Jimmy in their environments, organisations can proactively think like the enemy and discover their own weaknesses; provided they have the intellectual courage to take a hard look at their own shortcomings.”
Mayfield said that the malware responds to the situation based on all the data it receives from passive reconnaissance. “This means, Jimmy will not trigger alerts. An organisation could be compromised, but without alerts, they may lull themselves into a false assurance because, “the models are not saying there is any problem”.
“The increase in frequency of passive reconnaissance bots (like Jimmy), the more imperative it is to second-guess one’s assumptions of security – organisations need to go on offense.”