After the author of the bank Trojan Nukebot (Nuclear Bot, Micro Banking Trojan and TinyNuke) in March of this year, someone under the pseudonym Gosya published the source code of his brainchild, enterprising cybercriminals quickly found him. Some modified the malware to attack banks in the US and France, and another group of hackers adapted malicious software to steal email and passwords in browsers.

Kaspersky Lab specialists discovered several variants of the Trojan created after the publication of the source code, some of which are test samples.

"Most of them were of no interest, because as the C & C servers there were specified the addresses of the local subnet or localhost / 127. Much fewer samples had "real" addresses and turned out to be workers, "- said analyst" LK "Sergei Yunakovsky.

Approximately 5% of the investigated variants were used in attacks. It is not known yet whether they were created by individual intruders or a criminal organization.

Based on the analysis of the Trojans used in real attacks, the researchers suggested that their goal is financial organizations in France and the United States.

From some test samples, specialists were able to extract test strings by which they were able to establish control server addresses and other data for the study. The working versions of Nukebot were encrypted, so the experts had to first retrieve the encryption key. To do this, they simulated interaction with C & C servers and received an RC4-key for decoding web-invoices.