Nicecurl (Backdoor) – Malware

Overview

NICECURL is a backdoor written in VBScript that can download additional modules for execution, including a datamining module, and provides an interface for arbitrary command execution. The backdoor’s accepted commands include “kill” to remove artifacts and terminate execution, “SetNewConfig” to set a new sleep value, and “Module” to download and execute additional files, potentially extending NICECURL’s functionality. NICECURL communicates over HTTPS.

Targets

Credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran.

How they operate

APT42 utilizes two custom backdoors named Nicecurl and Tamecat, each designed for specific functions within cyberespionage operations.

The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that “typosquat” (use similar URLs) to those of legitimate organizations. The media organizations impersonated by APT42 include the Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), and Azadliq (Azerbaijan), with Mandiant noting that the attacks often use typosquatted domains like “washinqtonpost[.]press”.

After exchanging enough communication to build trust with a victim, the attackers send a link to a document related to a conference or news article, depending on the selected lure topic. Clicking on these links directs the targets to fake login pages that mimic well-known services like Google and Microsoft, or specialized platforms relevant to the victim’s field of work. These phishing sites harvest not only the victim’s account credentials but also their multi-factor authentication (MFA) tokens.

Cybercriminals behind NICECURL have been observed distributing the malware via email, using malicious LNK files disguised as PDF files, supposedly interview forms. Once opened, these LNK files initiate the download of the NICECURL malware.

NICECURL enables threat actors to extract a range of sensitive information from compromised systems, targeting personal identifiers such as names, addresses, and contact details. It also gathers financial data such as credit card numbers, banking credentials, and online payment information. Moreover, NICECURL can harvest login credentials for online accounts, including usernames and passwords. This information allows threat actors to access victims’ email accounts, social media profiles, and other online services, facilitating further attacks like phishing campaigns.

NICECURL is capable of executing certain commands, including downloading and executing files. This command enhances NICECURL’s functionality, enabling threat actors to engage in additional malicious activities. One possible enhancement is the capability to deploy additional payloads, such as ransomware, spyware, cryptocurrency miners, and other forms of malware.

To evade detection and blend with normal operations, APT42 limits its actions to built-in features of the cloud tools it has access to, clears Google Chrome history after reviewing documents, and uses email addresses that appear to belong to the victimized organization to exfiltrate files to OneDrive accounts. Additionally, APT42 employs ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers during all interactions with the victim’s environment, making attribution more difficult.

References:

• How to remove NICECURL backdoor malware
• Uncharmed: Untangling Iran’s APT42 Operations