Pierluigi Paganini December 14, 2021

The TinyNuke malware is back and now was used in attacks aimed at French users working in manufacturing, technology, construction, and business services.

Proofpoint researchers uncovered a campaign exclusively targeting French entities and organizations with operations in France with the banking malware TinyNuke.

The attackers used invoice-themed lures targeting entities in manufacturing, industry, technology, finance, and other verticals. 

The banking malware re-emerged after its activity significantly dropped in 2019, threat actors are using it to steal credentials and other private information and deliver additional payloads.

The TinyNuke malware was first spotted in 2017, but its activity reached its peak in 2018.

“After only observing a handful of TinyNuke campaigns in 2019 and 2020, Proofpoint observed TinyNuke reappear in January 2021 in one campaign distributing around 2,000 emails. Subsequent campaigns appeared in low volumes in May, June, and September. In November, Proofpoint identified multiple TinyNuke campaigns distributing around 2,500 messages and impacting hundreds of customers.” reads the analysis published by Proofpoint. 

“In the most recent campaigns, the threat actor uses invoice-themed lures purporting to be logistics, transportation, or business services entities.”

The malicious messages used in these campaigns contain download links pointing to a ZIP compressed executable responsible for installing TinyNuke. 

Proofpoint researchers distinguish at least two distinct activity sets using TinyNuke based on different lure themes, C2 infrastructure, and payload deployment. The experts believe that one of these two clusters was associated with the initial TinyNuke operators, whole the second one was associated with a threat actor that uses commodity tools.

In the recent wave of attacks, the attackers used legitimate, but compromised websites, to host the payload URL. Most of the websites involved in the campaigns use the French language.  

Once installed, the TinyNuke loader can be used to steal sensitive data and credentials with form-grabbing and webinject capabilities for popular browsers (Firefox, Internet Explorer, and Chrome), and to install additional payloads. 

The persistence mechanism used by the malware uses entries in the registry under the following location.

Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x00E02BC647BACE72A1\xe4\x8d\x82

Data: C:\Users\[User]\AppData\Roaming\E02BC647BACE72A1\firefox.exe 

“TinyNuke has re-emerged as a threat to French organizations, and entities with operations in France. Of note, in most of the recent campaigns the actor has stayed consistent with using URLs to ZIP files and the continued use of Tor for C2 communications. The malware can be used for data and financial theft, and compromised machines may be added to a botnet under the control of the threat actor.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]