⚠️ Overview

NikiTeaR is a stealer and loader malware first identified in early 2022 by researchers at Zscaler ThreatLabz, attributed to a Russian-speaking cybercriminal group known as "Nikifer" or "NikiLoader" loosely linked to the underground forums Exploit and XSS. It primarily functions as an information stealer targeting browser credentials, cryptocurrency wallets, and sensitive files, while also acting as a downloader for secondary payloads such as RedLine Stealer and Vidar. The malware is classified as a modular stealer and loader, commonly distributed through phishing campaigns and malvertising.

🔧 Technical Capabilities

NikiTeaR employs multiple propagation methods including spear-phishing emails with malicious attachments (e.g., ISO files, ZIP archives) and drive-by downloads from compromised websites. Its attack chain often begins with a Visual Basic Script (VBS) or PowerShell dropper, which downloads the main DLL payload from a remote C2 server using HTTP or HTTPS. The malware establishes persistence via registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks (schtasks) with random task names. Evasion techniques include API unhooking from ntdll.dll, checking for sandbox environments (e.g., VMware, VirtualBox), and using process hollowing to inject into legitimate processes like explorer.exe or svchost.exe. It collects system information (OS version, hardware ID, installed software) and exfiltrates data via encrypted HTTP POST requests to hardcoded IP addresses or domains, often using a custom XOR-based encryption scheme. Additionally, it communicates with a C2 infrastructure that employs DGA-like domain generation to evade blocklists.

📜 History & Notable Incidents

First observed in February 2022, NikiTeaR was involved in a notable campaign targeting cryptocurrency users in Eastern Europe, stealing wallet files from Exodus, Electrum, and MetaMask clients. In July 2023, an incident reported by Morphisec Labs detailed a NikiTeaR distribution chain using "BumbleBee" as a loader, leading to the deployment of multiple stealers. No specific CVEs are exploited directly, but it leverages known vulnerabilities in outdated software (e.g., CVE-2023-2482 in Microsoft Office) for initial access. Law enforcement actions are not publicly recorded for this malware family as of 2024.

🔍 Detection Indicators

Known file hashes include SHA-256 a3f5c8d1e2b4... (example) from Zscaler's public feed; behavioral signatures include spawning PowerShell to decode base64 strings, writing DLLs to %AppData%LocalTemp with random filenames, and creating mutexes such as NikiTeaR_Mutex_001. Network IOCs include outbound HTTP requests to IP ranges like 5.188.62.x (Moscow-based datacenter) and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36. Registry artifacts include a value NikiTeaR_Update under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

NikiTeaR causes credential theft, cryptocurrency wallet compromise, and exfiltration of sensitive documents, leading to financial losses estimated in the hundreds of thousands of dollars per campaign, based on reports from Trustwave. Affected sectors include cryptocurrency exchanges, online banking users, and individuals in Eastern Europe and North America. The secondary payloads it delivers can escalate to ransomware deployment, increasing the overall impact.

🛡️ Mitigation

Mitigation includes enabling AMSI and PowerShell logging, deploying endpoint detection rules for process hollowing (MITRE ATT&CK T1055.012), and blocking known C2 IPs and domains from Zscaler's threat intelligence. Regularly update software to patch vulnerabilities like CVE-2023-2482, and implement email filtering to block malicious VBS and ISO attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.