The latest Neutrino modification delivered up a new malicious program classified by Kaspersky Lab as Trojan-Banker.Win32.Jimmy, an evolution of the “Jimmy Nukebot” trojan.
Experts from Cyphort and FireMon have commented on the malware, including technical aspects and advice for IT organizations.
Dr. Mounir Hahad, Senior Director of the Cyphort Labs:
“Using checksums for API obfuscation is not by itself something new. It is frequently used by malware to make it harder for static analysis engines (like the vast majority of desktop Anti-Virus products) to determine what the application is up. This modification to NeutrinoPOS makes it more difficult for AV engines that develop heuristics to catch this variant and newer ones. Behavioral analysis on the other hand couldn’t care less – at some point or another the malware will need Operating System support and all that activity can be easily monitored. And when combined with machine learning, it gives the behavioral analysis solution the best shot at detecting this kind of malicious activity.
As always, organizations who may face this kind of malware should ensure they have both signature-based and signature-less solutions in their environment. A combination of end point AV and network behavioral analysis solution will provide so much more coverage than an end point solution alone. Organizations should also make sure they invest in detection as much as prevention – if a virus is already implanted, you need to have a solution to detect the network callbacks, whether it’s an IDS type of solution or anomaly based.
If it goes undetected, this new variant of NeutrinoPOS will be able to act as a backdoor into the organization, allowing monitoring of user actions and exfiltration of any data the bad actors can lay their hands on. Given that it can install newly downloaded modules at will, the sky is the limit as to what it can be commandeered to do.”
Josh Mayfield, Platform Specialist at FireMon:
“The changes to the Jimmy trojan is significant and should not be ignored or brushed aside as ‘business as usual’. For starters, the modification affords the Trojan an opportunity to learn versus instead of instantly executing malicious behavior (e.g. data theft). This is the quintessential algorithmic process pairing of EXPLORE and EXPLOIT.
Computational models have these pair running simultaneously to maximize effects and outcomes. We humans have this function in our neural system as well. Every time you’re deciding what to have for dinner, you are computing – exploring options, exploiting the knowledge to maximize the outcome.
Jimmy is doing the same thing, “…limited solely to receiving modules from a remote node” in order to, “flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source”. This function allows Jimmy to gather information, be self-referential, and run through what it has explored for later use and exploitation.
Jimmy’s ongoing evolution is essential to maximizing the effects of later goals – a mirror image of how organisms evolve, adapting to the environment and modifying the base code (like DNA) to achieve a more survivable advantage.
This method is what should have organizations cognizant of Jimmy’s changes. Historically, the attacker community would take advantage of widely applicable weaknesses and immediately went to exploitation. But Jimmy takes note of the information it receives from a given specified target and tailors its payload to that specific environment.
Furthermore, since the bot is not deployed instantaneous, but remains in receiving mode, and organization’s own defenses can be turned against them. These defenses can be covertly assessed by Jimmy thereby raising the probability of success – like knowing your opponent’s playbook before the game.
Ultimately, Jimmy is a code sequence. Organizations can take advantage of threat intelligence to gain insight into what’s possible in their environments. Then, security teams can survey the environment to cross-reference where Jimmy could be hiding – threat hunting.
Secondly, organizations can ‘Red Team’ these situations by taking advantage of Jimmy for themselves. By using Jimmy in their environments, they can proactively think like the enemy and discover their own weaknesses; provided they have the intellectual courage to take a hard look at their own shortcomings.
Lastly, organizations can adopt the assumption of compromise. It is within this mindset that we can explore the potential problems we have not modeled. Jimmy conform to models, it responds to the situation based on all the data it receives from passive reconnaissance. This means, Jimmy will not trigger alerts. An organization could be compromised, but without alerts, they may lull themselves into a false assurance because, “the models are not saying there is any problem”.
Jimmy will not be polite. Jimmy will not tell you when it is in your environment with alerts that align with neatly defined models for Indication of Compromise (IOC) or Indications of Attack (IOA). Don’t bother waiting for an alert. You have to hunt for Jimmy, it’s the only way to find it.
End user education is a critical in the evolving landscape of trojans like Jimmy. The average person is not going to be as well-informed about the threats or problems they face. It is important to make users aware that these things exist, they can cause damage, and simple measures can be taken. End users do not readily see the need for things like two-factor authentication, regular password resets, password complexity standards, and so on. Awareness of just how dangerous the world can be, can help them to take their medicine.”