The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak

An Uncommon Tale of a Failed Banking Trojan Vendor

In early December 2016, IBM X-Force researchers noticed the emergence of a new banking malware advertised for sale in a few underground boards. The malware’s vendor, who went by the online moniker Gosya, was a Russian-speaking member who introduced himself as the developer of Nuclear Bot, or NukeBot, a modular banking Trojan.

Considering the demand for commercially available malware in the cybercrime community, this malware should have been accepted very eagerly. But instead, its developer’s user account was banned from multiple forums. In March 2017, the source code was leaked, apparently by the developer himself.

What led to this leak, and what impact can we expect as a result?

Dear reader: this post is part of my research work at IBM X-Force. Read the complete post here.

Also note, this story was picked up by Krebs on Security who later interviewed the malware's author. Krebs quoted this blog post in his investigation. You can read his post here.