A relatively new banking trojan, dubbed Nexus, is being promoted as a MaaS subscription on dark web forums. It is said to have a wide range of capabilities required to take over banking and cryptocurrency accounts, and a built-in list of exploits for over 450 banking and financial applications.

Nexus MaaS offering goes global

The Nexus MaaS program was officially launched on the dark web on January 27. However, experts believe that the malware has been in use in attacks since June 2022.
  • Advertisements have been posted on various hacking forums, offering the subscription service for a monthly fee of $3,000.
  • Multiple Nexus campaigns have been observed around the globe, with a majority of them being reported from Turkey. This indicates that the malware is already getting good traction among threat actors.
  • However, the authors have explicitly made a rule, restricting the use of this malware against the CIS.

Malware features

Nexus is equipped with several features that make it suitable for account takeover attacks against financial institutions and cryptocurrency services.
  • It can perform overlay attacks to fool users and keylogging attacks to steal credentials.
  • It, further, allows its users to intercept SMS and the Google Authenticator app to read 2FA codes. It can delete the received SMS and initiate or terminate the 2FA stealer module.
  • The trojan is equipped with an autonomous update mechanism that keeps checking for any updates available on the C2 servers and fetching them whenever available.
  • Researchers further detected a work-in-progress encryption module, lacking usage references to its C2 server. This could be a potential attempt to use it as ransomware.

Nexus overlaps with SOVA

The source code of Nexus contains several similarities with that of the SOVA banking trojan, indicating some code reuse.
  • Moreover, the author of SOVA, operating under the moniker Sovenok, started posting updates about Nexus. 
  • Sovenok accused an affiliate of stealing the complete source code of SOVA. Further, another Android botnet operating as POISON is said to be closely linked to Nexus.

Ending notes

The Nexus banking trojan is another example of the ever-evolving MaaS ecosystem that allows malware developers to monetize their malware efficiently. This is an alarming situation for both security agencies and organizations. Organizations are suggested to implement a robust security posture and keep security software up to date to stay protected.
Cyware Publisher

Publisher

Cyware