[MART] - Daily Diary #411 - TinyNuke Malware Targets French Organizations

CTAS-MAT ctas-mat at appgate.com
Tue Dec 14 23:33:58 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

12/14/2021 - Diary entry #411:

TinyNuke is a banking malware that appeared in 2017 when its author published its source code on Github. Although the repository was deleted, the original code can be found in other repositories. TinyNuke is a variant of Zeus, a notorious banking trojan first discovered in 2007 - as mentioned in our Daily Diary #347.

Since its discovery, TinyNuke has been targeting French organizations during seasonal campaigns every year. Delivered via spam, the threat actor uses invoice-themed phishing mimicking logistics, transportation, and business services entities. In recent campaigns, the spam messages lure the victims to download a JavaScript downloader. As soon as it's executed, it runs a PowerShell malicious code to download another ZIP file containing the TinyNuke payload. The threat actors use legitimate French-language compromised websites to host the payload URLs.

Once executed, the TinyNuke can be used for data and credential theft with form-grabbing and web injection capabilities for Firefox, Internet Explorer, and Chrome, and to install additional payloads. Its communication with the C2 is established via Tor and compromised machines may be added to a botnet under the control of the threat actors.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211214/9c5c5a40/attachment.htm>

More information about the MART mailing list