The source code for the NukeBot Trojan has been published online on a source-code management platform. The code for NukeBot – or Nuclear Bot as it is also known – appears to have been released by the author, rather than being leaked.
To date, the NukeBot Trojan has not been detected in the wild, even though it was first seen in December 2016. The NukeBot Trojan was developed by a hacker by the name of Gosya. The modular malware has a dual purpose. In addition to it functioning like a classic virus, it also works like an anti-virus program and is capable of detecting and eradicating other installed malware. The modular design means additional components and functionality can easily be added. When attempting to sell the malware in December last year, the author said further modules would be developed.
The release of the code for the NukeBot Trojan is understood to be an effort by the author to regain trust within the hacking community. IBM says Gosya is a relatively new name in hacking circles, having joined cybercrime forums in late 2016.
While newcomers need to build trust and gain the respect of other hacking community members, Gosya almost immediately listed the malware for sale soon after joining underground communities and failed to follow the usual steps taken by other new members.
Gosya may have developed a new malware from scratch, but he failed to have the malware tested and certified. No test versions of the malware were provided and underground forum members discovered Gosya was using different monikers on different forums in an attempt to sell his creation. Gosya’s actions were treated as suspicious and he was banned from forums where he was trying to sell his malware.
While other hackers may have been extremely dubious, they incorrectly assumed that Gosya was attempting to sell a ripped malware. The NukeBot Trojan was not only real, it was fully functional. There was nothing wrong with the malware, the problem was the actions taken by Gosya while attempting to sell his Trojan.
While many new malware variants are developed using sections of code from other malware – Zeus being one of the most popular – the NukeBot Trojan appears to be entirely new. Back in December, when the malware was first detected and analyzed, researchers from Arbor Networks and IBM X-Force verified that the malware was fully functional and had viable code which did not appear to have been taken from any other malware variant. The malware even included an admin control panel that can be used to control infected computers.
Now that the source code has been released it is likely that Gosya will be accepted back in the forums. The source code will almost certainly be used by other malware developers and real-world NukeBot attacks may now start.