Self Assessment

NIKKI STEALER: EX-DEFACER TURNS SELLER OF DISCORD STEALER

Published On : 2024-03-15
Share :
NIKKI STEALER: EX-DEFACER TURNS SELLER OF DISCORD STEALER

EXECUTIVE SUMMARY

At CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics employed by malicious actors, targeting both organizations and individuals. This thorough examination delves into the widespread adoption of ‘Nikki Stealer’, a malicious tool available for purchase on Discord or Telegram. The developer, who has a history as a defacer, now sells this stealer, designed to steal Discord tokens, browser cookies, and credentials, with numerous users utilizing the tool. Our research explores the various evasion techniques utilized by threat actors to avoid detection, while also shedding light on the intricate processes involved in creating resilient malware payloads.

INTRODUCTION

Nikki Stealer v1 was initially discovered on Telegram, where the developer showcased its undetectable capabilities. We managed to gather details about the older version of Nikki Stealer. The malware’s developer, Sk4yx, operates primarily from Discord, where he shares the latest insights and recent developments of the stealer, primarily in Portuguese. The latest version (v9) is now available for purchase: this version is capable of stealing browser cookies, credentials, and other sensitive data, and is developed using the Electron framework by GitHub. Interestingly, we have observed similarities in source code between Nikki Stealer and Fewer Stealer.

KEY FINDINGS

Nikki Stealer drops PE (Portable Executable) files into the startup folder, ensuring it runs automatically every time the system starts up.
The malware attempts to harvest and steal browser information, including browsing history, and passwords.
Nikki Stealer tries to load missing Dynamic Link Libraries (DLLs), which could be necessary for its proper functioning or to extend its capabilities.
The malware is built using the Electron framework, enabling the development of cross-platform desktop applications using web technologies like JavaScript, HTML, and CSS.

BEHAVIORAL ANALYSIS

File Name Cum3d_Setup.exe, nikki 1.1.4 (1).exe
File Size 66.47 Mb
Signed Not Signed
MD5 Hash a4317a8d4595f181c56efa6b3be6c14b
SHA-256 Hash 0fa64d5ad4c84011bef6e838d0f70121a3af53df5dbc3b5f5f0c16a8fb495244
First Seen in the Wild October 2023

At the time of analysis, i.e. March 10th, 2024, the stealer is flagged as malicious by only 2 vendors.

Note: The two detections by the antivirus engine are based on heuristics.

Upon analysis, it’s determined that the file is packed using the Nullsoft packer, which can be unpacked using 7zip.

PROCESS TREE

Once executed, the Nikki stealer drops a second payload named nikki.exe inside the temp folder, which is the main executable file.

The below snippet shows the folder where the executable is stored.

Modifying process features and prefetch settings could be used to manipulate system behavior or evade detection by security software. For example, disabling certain features might help the malware to avoid detection or hinder analysis by security tools.

PERSISTENCE

To achieve persistence, the Nikki Stealer first drops itself into the startup folder.

This creates an entry into a start menu, commonly used by adversaries for persistence purposes. Adversaries often place their malicious binaries or shortcuts in these folders to ensure their malware continues to run even after system reboots or other disruptions.

PAYLOAD ANALYSIS

After executing the initial payload, the Nikki Stealer malware places a second payload in the system’s temp folder. In the provided snippet, the primary executable, which is the Nikki Stealer, is accompanied by various DLL files, as well as autofill.txt and password.txt files. These text files are filled with fake data by the malware author for testing purposes. Our focus here will be on the executable file.

The main executable is a 64-bit file, sized at over 160 megabytes. Additionally, the screenshot displays information about the version and name of the stealer.

ELECTRON FRAMEWORK USED BY NIKKI STEALER

The primary executable file i.e. ‘nikki.exe’ is built using the Electron framework.

To provide context, Electron is a software framework made by GitHub, used for creating desktop applications that work on different operating systems, like Windows, macOS, and Linux.

Electron lets developers use web technologies like JavaScript, HTML, and CSS to build their applications. Under the hood, it uses two main components: Chromium, which is responsible for displaying web content, and Node.js, which runs the backend code.

Attackers like to use Electron because it enables them to create malicious software that can run on many different types of computers and develop code that works on multiple platforms without needing individual rewrites.

Meanwhile, in the background, these applications can secretly access important functions of the operating system, allowing attackers to perform malicious activities without the user’s knowledge.

The app built with Electron stores its source code and essential files within a resource file. Inside this resource file, you’ll typically find an “app.asar” file, which serves as the main file containing all the source code and important resources.

To extract the file with ‘.asar’ extension, we can use a plugin designed for 7-Zip, available on the internet. Once extracted, we’ll have access to the complete source code of this sample application.

The file “precisafalar que eh test” translates to “I need to say that it’s a test.” This file contains the source code for Nikki Stealer. Additionally, within the password text file, there are numerous fake credentials provided. These credentials are used to test the capabilities of the stealer.

The below screenshot highlights the Nikki Stealer source code which looks similar to the Fewer Stealer source code.

The Fewer stealer source code found on GitHub, has similarities with the Nikki Stealer source code:

This malware’s main aim is to steal saved passwords and session cookies from web browsers like Chrome, Opera, Microsoft Edge, and Brave. For each browser, the malware locates where sensitive user data is stored, such as cookies and login credentials for different websites.

This JavaScript code seems to be designed to gather encrypted data, possibly related to browsers. It goes through an array called “browserPath” that holds possible paths to browser data.

  • Read a file named “Local State”.
  • Extract an encrypted key from the JSON content it reads.
  • Use PowerShell to decrypt the key.
  • Add the decrypted key to the respective element in the “browserPath” array.

RECENT DEVELOPMENT

Nikki Stealer v9 has been launched on their Discord channel with various subscription plans available. This new version has a more efficient injector, making it even more effective at stealing sensitive information from target systems.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

The Nikki Stealer channel was established on Telegram on October 23, 2023. During our investigation, we discovered similarities in the descriptions of both the Nikki Stealer and Crow Stealer channels. This suggests that Sk4yx; the developer associated with the Nikki Stealer code, is also the creator of the Crow Stealer malware. Additionally, past findings indicate that the Crow Stealer channel promoted the Nikki Stealer channel, further supporting the connection between the two projects and their common developer, Sk4yx.

While the Telegram channel appears to have low activity, it’s noteworthy that Sk4yx and associated individuals are predominantly active on Discord, boasting a user base of over 136 members. Within this Discord community, they promote not only malicious activities but also engage in illegal behavior, such as sharing photographs of drugs.

Users who have purchased Nikki Stealer are praising its effectiveness, claiming that it is fully undetectable (FUD) and has a zero detection rate.

During our analysis, we discovered the Instagram profile of Sk4yx, where he mentioned the Nikki Stealer website.

Upon further investigation, we found evidence in the web archive indicating the existence of a login panel for Nikki Stealer, although it is currently inactive.

It has been noted that Sk4yx has referred to themselves as an ex-defacer, and evidence suggests that they have defaced websites belonging to organizations in Brazil in the past. Additionally, Sk4yx maintains an account on PyPI, but there has been no activity observed from this account from an extended period.

Based on our analysis of the chat conversations within the Discord platform, we have medium confidence to suggest that Sk4yx/Sk4yxx, is a developer based in either Brazil or Portugal, and is the creator of the Nikki Stealer. This conclusion is further supported by references to their name within the source code.

Below is a screenshot from Sk4yx showcasing drugs they have access to.

Translation from Portuguese to English: to muitondoido virado > I am very crazy turned

Another member of the Nikki Stealer group, known by the alias YKG, has a YouTube channel to promote their activities.

Diamond Model

List of IOCs

No. Indicator (SHA-256) Remarks
1 0fa64d5ad4c84011bef6e838d0f70121a3af53df5dbc3b5f5f0c16a8fb495244 Nikki Stealer 1st Payload
2 01ae1b2996a35fb5a3eb40c33763058b01b892253458fb6c9a8b0efc6b98d0a0 JS file
3 7a32c14d724c8904511ccb4eca27cf62aaa31d85a05a0e443d28ad95d35b363c JS file
4 1792a2b01c8aa7d9f3e8e75553d49c5b70d513ec76fbb37f5438a084fbe11200 Nikki Stealer 2nd Payload

MITRE ATT&CK TTPs

No. Tactics Technique
1 Execution (TA0002) T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
2 Persistence (TA0003) T1547.001: Registry Run Keys / Startup Folder
T1574.002: DLL Side-Loading
3 Privilege Escalation (TA0004) T1055: Process Injection
T1547.001: Registry Run Keys / Startup Folder
4 Defense Evasion (TA0005) T1036: Masquerading
T1055: Process Injection
T1574.002: DLL Side-Loading
5 Credential Access (TA0006) T1003: OS Credential Dumping
6 Discovery (TA0007) T1012: Query Registry
T1057: Process Discovery
T1018: Remote System Discovery
T1082: System Information Discovery
7 Collection (TA0009) T1005: Data from Local System
8 Command and Control (TA0011) T1573: Encrypted Channel
T1071: Application Layer Protocol

CONCLUSION

Investigation into the Nikki Stealer reveals a sophisticated and actively developed malware tool. Operated primarily through Discord and previously discovered on Telegram, Nikki Stealer demonstrates a high level of stealth and persistence, dropping PE files into the startup folder for automatic execution. Its primary function revolves around harvesting sensitive browser information, including browsing history and passwords, with attempts to mitigate missing dependencies by loading DLLs as needed. Built on the Electron framework, Nikki Stealer leverages modern web technologies for its development, enhancing its cross-platform capabilities. Overall, the presence of Nikki Stealer underscores the evolving landscape of cyber threats and the importance of robust security measures to mitigate its impact.

RECOMMENDATIONS

Strategic Recommendations:

Implement Defense-in-Depth Strategy: Develop a comprehensive defense strategy that combines network segmentation, robust perimeter defenses, and endpoint security to create multiple layers of protection against such threats.

Invest in Threat Intelligence: Engage with threat intelligence services to stay informed about the evolving tactics, techniques, and procedures employed by malware operators. Regularly update defenses based on the latest threat intelligence to enhance proactive detection capabilities.

Enhance Employee Training: Conduct regular cybersecurity training programs to educate employees about phishing threats, social engineering, and safe browsing practices. Building a security-aware culture can significantly reduce the likelihood of successful infostealer infections.

Management Recommendations:

Develop an Incident Response Plan: Establish a robust incident response plan that outlines clear procedures for identifying, containing, eradicating, and recovering from a Nikki Stealer infection. Regularly test and update the plan to ensure effectiveness.

Conduct Regular Security Audits: Perform periodic security audits to assess the effectiveness of existing security controls, identify potential weaknesses, and validate the organization’s overall security posture. Use the findings to make informed adjustments and improvements.

Collaborate with Industry Peers: Engage in information sharing and collaboration with industry peers, cybersecurity communities, and relevant authorities. Sharing threat intelligence and best practices can enhance collective resilience against emerging threats like Nikki Stealer.

Tactical Recommendations:

Update and Patch Systems: Regularly update and patch operating systems, software, and applications to address vulnerabilities that malware like Nikki stealer exploits. Automated patch management tools can streamline this process and minimize the attack surface.

Utilize Advanced Endpoint Protection: Deploy advanced endpoint protection solutions that incorporate behavioural analysis, heuristic detection, and threat intelligence to identify and mitigate the specific techniques employed by Nikki stealer. Ensure these solutions are regularly updated with the latest detection rules such as the one given in the report.

Implement Application Whitelisting: Restrict the execution of unauthorized applications by implementing application whitelisting. This helps prevent the execution of unknown or malicious binaries, hindering Nikki’s stealer ability to run on endpoints.