Pierluigi Paganini January 27, 2017

The security researchers at security firm Sixgill discovered a new malware dubbed Nuke HTTP bot offered for sale on a forum in the Dark Web.

Darknets are the right places where to find illegal product and services, it is quite easy to find malicious code and also botnets of any type.

On December 16th, a new malware dubbed Nuke HTTP bot was discovered by the security researchers at security firm Sixgill on a popular cybercrime forum in the dark web. The author of the malware, who goes by the moniker Gosya, claims the malicious code was developed from scratch. Nuke was offered for $4,000, a good price for such kind of commodity.

Researchers at Sixgill who analyzed the Nuke malware confirmed that the malware request a significant skill for its development. The authors of the malware implemented sophisticated features, including the ability to inject malicious code on Firefox and Chrome browsers.

Nuke is also able to get through User Account Control (UAC) and Windows Firewall executions, and it supports both 32-bit and 64-bit systems.

Below the full list of featured implemented in the Nuke HTTP bot:

– SOCKS proxy module
– Formgrabber and Web-Injection module
– Remote EXE file launcher module
– Hidden VNC module for WinXP-Win10
– Rootkit for 32-Bit and 64-Bit machines
– Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine, if any are present.

The SOCKS proxy module allows the malware to retrieve data from the infected machine and send it back to the C&C server. Another interesting feature it the so-called “bot killer,” that indicated the capability of the malicious code of removing all other existing malware on the target machine.

The malicious code is very small in size, just 83kb when uncompressed.

“Nuke HTTP Bot boasts a fairly small file size of just 83kb uncompressed, and 54kb compressed. The detection rate at the moment of writing this article is extremely low as well. Gosya presented evidence supporting the fact the malware is currently undetected by mainstream AV engines.” reads the analysis published by Sixgill.

Researchers at Sixgill are monitoring the diffusion of the Nuke HTTP bot in the wild and are supporting law enforcement in the investigation.

“A test version was already found in the wild by Netscout’s Arbor Networks. The author went on and mentioned that he is aware of it. The analyzed variation was a test version of the malware. The current version, according to Gosya, has much of the inner workings changed since Arbor’s report was published.” states the report.