Announced at the beginning of the year, the Nexus malware is starting to cause serious concern. Targeting more than 450 financial applications, it attacks bank accounts as well as cryptocurrency wallets.
Currently, the attacks are mainly targeting Turkey, but the malware is in full development and may soon spread.
Nexus, a new Trojan horse
At the beginning of the year, a new ready-to-use malware called Nexus appeared on the forums, although the first attacks may have taken place as early as June 2022. In a fairly traditional way, Nexus provides users with the functionalities required for Account Takeover (ATO) attacks, which make it possible to target financial applications, set up scams and intercept text messages. In fact, Nexus appears to be reusing some of the code from SOVA, another Trojan horse, adding the beginnings of what appears to be ransomware functionality.
The attacks are notably carried out by overlaying and recording the keys pressed by users of infected Android devices. Studied by Cleafy, an Italian cybersecurity company, Nexus seems to be only at the beginning of its development, even if it is already active. If you follow cybersecurity news, you may remember this malware identified in August 2022 as a new variant of SOVA. Nexus is this malware, and it is now fully identified.
Turkey particularly targeted?
Nexus is not open source software. Pirates therefore have to pay, which is possible through a subscription, the price of which is around $3,000 per month. The sum seems enormous, but we must take into account what the pirates can steal. Their activity may, in principle, be global, but most of the attacks have taken place in Turkey, suggesting that the country is directly targeted. Rohit Bansal, cybersecurity researcher, was able to confirm the information, however nuanced by the hackers themselves on Telegram:
” Guys, your research is really good. But there is no attack on Turkey. It is true that a large percentage of our users work in Turkey, but our targets do not include specific country, political orientation or anything else. Please don’t misrepresent our attacks during our research. Greetings seekers and curious friends, do your job right. »
Hackers have however banned the use of Nexus in a number of countries. The malware therefore cannot be deployed in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine and Indonesia.
Source : The Hacker News
1