It’s not just legitimate companies looking to drive profitability through -aaS models, because this new MaaS (malware-as-a-service) subscription is offering cybercriminals the activity to rent access to a trojan that can steal your banking data.
The botnet, named Nexus, was first made available on a forum in January 2023 when it was described as a “very new” project which would be under “continuous development” – although it was available at a cost of $3,000 per month.
However, Italian cybersecurity firm Cleafy (opens in new tab) now says that it has been around since June 2022, and shares some code similarities with an Android banking trojan that emerged in mid-2021.
Android banking trojan
As part of the MaaS’s code of conduct, users are prohibited from using Nexus in Russia and other CIS states. The code indicates this, as it ignores Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, the Russian Federation, Tajikistan, Uzbekistan, Ukraine, and Indonesia.
It works by stealing passwords from banking apps, and even those secured with two-factor authentication (2FA) aren’t necessarily safe because certain accessibility features that expose SMS and Google Authenticator codes for ease of use can be accessed by the trojan.
Once Nexus is installed on an unsuspecting victim’s device, it connects to a C2 server and provides a C2 web panel for cybercriminals to carry out their attacks and receive stolen data.
Despite its similarities to a previous trojan, researchers have concluded that this represents a new attack operated by a different group. This, combined with its infancy and threat of continuous development, make it one worth keeping an eye on, while online banking customers are urged to ensure that their accounts remain protected by multiple layers.