Security researchers have uncovered a new malware strain, dubbed Nuke, put up for sale on the dark web by an alleged Russian cybercriminal going by the pseudonym Gosya. Researchers noted that the malware comes with several features, including "bot killer" abilities, which allows it to remove all competing malware from an infected machine.
According to researchers at cybersecurity firm Sixgill, which specialises in detecting and defusing cyberattacks and data leaks originating from the dark web, the Nuke malware comes with Chrome and Firefox code injecting abilities. It fully supports 32-bit and 64-bit systems alike and is also capable of bypassing UAC and Windows Firewall executions.
Sixgill told IBTimes UKthat researchers first discovered the malware on 16 December, 2016 in "one of the leading Russian/English cybercrime message boards" and "has generated some interest within the forum members".
According to Sixgill, the Nuke malware comes with modules such as "SOCKS proxy module", which provides it with the ability to secretly surf/transfer data online through an infected machine and "Hidden VNC module for WinXP-Win10", which opens up a hidden remote-desktop session on an infected system.
The malware also comes with a "Remote EXE file launcher module", which allows it to launch codes and software onto a system and a "Rootkit for 32-Bit and 64-Bit machines", which according to Sixgill researchers, adds a "layer of persistence to the trojan, that is not easily removed".
Commenting on the various features of the Nuke malware, a Sixgill spokesperson said: "While we've seen these features before, it takes great skill for a malware author to accomplish them."
Who is Gosya?
Sixgill researchers believe that Gosya "has been active in various forms in the cybercrime underground as early as 2012. The estimation is that he resides somewhere in Moscow or its metropolitan region."
Researchers believe that the Nuke malware has been priced relatively low in comparison with malicious products put up for sale by other malware authors. The Sixgill spokesperson explained: "From our experience, the price is not as high as some other malware authors. We've seen prices as high as $20,000 and up. We reckon this cheaper because the Gosya isn't a well-known malware author yet. If he makes a name for himself, his next malware could be priced higher,"
It is still unclear if the malware has generated enough interest to have attracted buyers or if it has already been sold.
Sixgill said its researchers are "constantly monitoring this issue for updates, and we report the case to our customers". The firm also stressed that it works with law enforcement organisations to report such issues. However, the firm refrained from confirming if it was currently collaborating with law enforcement to hinder the Nuke malware sale in any way.