TinyNuke Banking Trojan Resurfaces, Attacks French EntitiesAttackers Using Invoice-Themed Lures in Multiple Campaigns
Researchers have identified multiple campaigns leveraging invoice-themed lures to distribute the rarely observed TinyNuke malware, which has not been seen with regularity since 2018.
"The campaigns target hundreds of customers in various industries including manufacturing, technology, construction, and business services; it uses French language lures with invoice or other financial themes and almost exclusively targets French entities and companies with operations in France," according to Proofpoint researchers.
The Proofpoint threat research team says TinyNuke is a banking Trojan that has similarities with Zeus malware and has many variants with identical functionality.
"TinyNuke can be used to steal credentials and other private information and can be used to enable follow-on malware attacks. The author initially released the code on GitHub in 2017, and although the original repo is no longer available, other open-source versions of the malware exist," researchers say.
The researchers do not associate TinyNuke with any known threat actor or group. The malware is currently publicly available and likely used by multiple threat actors. But Proofpoint researchers assess with high confidence that some of the original threat actors distributing TinyNuke in 2018 are continuing to use it.
The researchers say that they observed dozens of TinyNuke campaigns targeting French entities in 2018 and only a handful of campaigns in 2019 and 2020. But they observed one TinyNuke campaign making a reappearance in January 2021, distributing around 2,000 emails.
"Subsequent campaigns appeared in low volumes in May, June and September. In November, Proofpoint identified multiple TinyNuke campaigns distributing around 2,500 messages and impacting hundreds of customers," the researchers say.
In one recent campaign observed by the researchers, threat actors were seen using invoice-themed lures purporting to be logistics, transportation, or business services entities. These messages contained a URL that led to the downloading of the "compressed executable responsible for installing TinyNuke," the researchers say.
Proofpoint researchers say they first observed TinyNuke used as a second-stage payload in a Zeus banking Trojan campaign targeting French entities in 2017.
"Proofpoint has observed three times as many TinyNuke campaigns in 2021 as the two previous years combined. But while threat actors have conducted more campaigns this year, they are distributing fewer messages compared to previous years," the researchers say. "Though the number of 2021 campaigns is less than 2018, TinyNuke’s reappearance and consistent targeting of French organizations is striking, suggesting it is a reemerging threat in the French cybercrime threat landscape."
The researchers also observed at least two distinct activity sets using TinyNuke based on different lure themes, payload deployment, and command-and-control infrastructure.
One intrusion analyzed by the researchers is associated with the initial TinyNuke actors using Tor for command and control since 2018, while commodity actors typically leverage clear web C2, the researchers say.
"Open-source reporting suggests the malware version using Tor, which Proofpoint has observed with continued regularity, is not publicly available, and likely used only by the original TinyNuke threat actors. The following analysis focuses on the most frequently observed activity set responsible for most of the TinyNuke campaigns in 2021," they say.
"PowerShell is then executed and leverages the Start-BitsTransfer cmdlet to download another ZIP file (e.g., putty.zip) which contains the TinyNuke PE file. The actor generally uses legitimate, but compromised, websites to host the payload URL. The websites are typically French language, and do not share a common theme," the researchers say.
The researchers observed the string "nikoumouk" sent to the C2 server for an unknown purpose, which - according to open-source information - the previous actors used in C2 communications in earlier campaigns since 2018.
"The string is an insult in popular Arabic, mainly used in French-speaking suburbs in Europe," the researchers say.
Upon successful installation, TinyNuke loader can be used for data and credential theft with form-grabbing and webinject capabilities for Firefox, Internet Explorer and Chrome, and to install follow-on payloads.
"Malware is often an email with a weaponized attachment or a link to a watering hole URL - which is exactly what is evidenced in this recent attack - in which the criminals used fake invoices to bait the victim. Threat actors appreciate effective malware, as it is regularly reused, and cybercriminals are calculating in leveraging their assets," says Alan Calder, CEO of GRC International Group, a global provider of IT governance, risk management and compliance solutions.
Proofpoint says that it identified TinyNuke infrastructure overlapped with PyLocky ransomware attacks first in 2018, but it did not observe any ransomware activity associated with TinyNuke in subsequent campaigns.
"Public reporting associates the original TinyNuke author with an individual charged in a French sextortion case," the researchers say, adding that the author "was imprisoned before reportedly being released under legal supervision in 2020 during a spike in the COVID pandemic. In 2017, the accused individual previously claimed to be the original author of TinyNuke in an interview with the journalist Brian Krebs."
They also say that operators behind TinyNuke reportedly taunted and harassed security researchers investigating its activity.
"Using invoices and other financial activities have always been popular angles as part of malware - even outside of the context of TinyNuke. Defenses against these types of attacks do not necessarily need to be technical in nature, and organizations can protect themselves by ensuring proper safeguards in place when performing transactions - in this case, paying out invoices," says Ryan Kennedy, application security consultant at application security provider nVisium.
Kennedy says large organizations across a variety of industries have fallen prey to similar attacks, whether for the purpose of compromising systems or for financial gain via forged invoices.
"The reemergence of TinyNuke as well as this newly uncovered malware campaign leveraging it is proof that sometimes all it takes to be compromised is a sufficiently convincing email," Kennedy tells ISMG.