The spyware that steals information TinyNuke has resurfaced in a new campaign that uses invoice-themed lures in emails addressed to corporate addresses and people working in manufacturing, IT, construction, and commercial services to target French users. This campaign’s main objective is to steal credentials and other private information from a compromised system, as well as install additional payloads.
TinyNuke malware originally surfaced in 2017, peaked in 2018, declined dramatically in 2019, and practically vanished entirely in 2020. It’s unusual, but not wholly unexpected, to see fresh attacks in 2021 that use the specific malware strain. According to Proofpoint analysts who have been watching these operations, this re-emergence is manifested through two unique sets of activity, each with its C2 infrastructure, payloads, and luring themes.
This might also imply that the malware is employed by two separate actors, tied to the original TinyNuke perpetrators and commodity tool users. Finally, there is no overlap this time with the PyLocky ransomware dissemination from 2018, nor with any other ransomware infestation.
The actor hacks legal French websites to host the payload URL, while the executables are disguised as harmless software. The most recent campaigns for C2 communications have used Tor, which has been the same method since 2018.
One of the strings used in these emails, “nikoumouk,” is identical to a slang phrase uncovered in the 2018 study, tying this campaign even closer to the initial threat actors. As per Proofpoint experts, the string “nikoumouk” was transmitted to the C2 server for an unexplained reason. According to Proofpoint’s study, the actors have employed that string in C2 communications in previous campaigns since 2018, according to information sharing partners and open-source material.
Emails in the current campaigns include download URLs for ZIP files. These ZIP files contain a JavaScript file that runs PowerShell commands to download and run the TinyNuke malware. TinyNuke loader can steal credentials via form-grabbing and web-inject capabilities for Firefox, Internet Explorer, and Chrome, as well as install other payloads. The following registry key is used to ensure persistence:
Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x00E02BC647BACE72A1\xe4\x8d\x82
Data: C:\Users\[User]\AppData\Roaming\E02BC647BACE72A1\firefox.exe
Even though the current ads employ certain lures, the actors might adjust their communications to provide the receivers with fresh baits. If fresh actors are employing TinyNike, it’s possible that the original creators are selling it on the dark web or that the code has been circulating independently since it was first shared on GitHub years ago.
Its use might grow much more in either case, and the spectrum of email lures used against targets could expand significantly. It’s critical to stay cautious and avoid clicking on embedded links that lead to harmful compressed executable sites. Because these sites appear real on the surface, your Internet security solution may not detect them, so proceed with caution.
