Kasperky Lab researchers have found that a recent modification of the Neutrino banking trojan reuses NukeBot source code parts.
The recently found malware is called Jimmy and it is rather similar to NeutrinoPOS, however, it includes a restructured main body plus some functions moved to modules.
Due to the above-mentioned change, the new trojan does not include the functionality for stealing bank card data from the memory of an infected device, though it’s limited to receiving modules from a remote server and installing them.
The new malware is capable of conducting an extended scan of an infected host, featuring both checks inherited from Neutrino and the examination of its own name. Also, by using the assembly command cpuid, Jimmy retrieves information about the processor and compares it with checksums it contains.
Yet, according to Kaspersky Lab, the trojan has been seriously rewritten: “One small difference that immediately stands out is in the calculation of checksums from the names of API functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the second case, for a comparison of strings (commands, process names). This approach makes static analysis much more complicated.”
Unlike NeutrinoPOS, which uses two algorithms to calculate checksums for the names of API calls, libraries and strings, the Jimmy banking trojan uses only one algorithm for all these purposes. Nevertheless, the experts say that the communication protocol with the command and control server remained the same.
The analysis of the trojan show that the payload is included in the modules the main body receives. These modules feature web-injects and mining capabilities for the Monero currency (XMR). The mining module of Jimmy includes an identifier for a wallet for which the crypto currency is extracted, as well as the address of the pool.
Apart from being able to inject code into web pages, the web-inject modules can also create proxy servers, take screenshots, and perform other nefarious operations, similar to those in NeutrinoPOS. The modules are distributed in the form of libraries and feature different functions, based on the name of the process in which they are located.
The Jimmy banking trojan stores a number of parameters in the registry. The researchers explain that they also managed to retrieve a test sample of the web injects, and that future iterations of the malware might “acquire ‘combat’ versions.”
After comparing the restored code of Jimmy with the source code of NukeBot, Kaspersky Lab found that to some extent the codes are completely identical. This means that Jimmy’s creators reused an old code to build a malware version of their own.
“In isolation from the previous modifications, the newly created Jimmy would not be of much interest to researchers. However, in this context, it is an excellent example of what can be done with the source code of a quality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” Kaspersky experts say.