Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Niki (Backdoor) – Malware

June 19, 2024
Reading Time: 3 mins read
in Malware
Niki (Backdoor) – Malware

Niki

Type of Malware

Backdoor

Country of Origin

North Korea

Targeted Countries

United States

Date of initial activity

2024

Motivation

Espionage
Cyberwarfare

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

In a significant development within the realm of cyber espionage, researchers have unveiled a new and highly sophisticated malware campaign, dubbed “Niki,” that appears to be linked to North Korean hackers. This advanced threat specifically targets aerospace and defense companies, leveraging a previously undocumented backdoor that demonstrates the evolving capabilities of North Korean cyber operations. As the cyber threat landscape becomes increasingly complex, the emergence of Niki highlights the ongoing challenges faced by organizations in securing their systems against state-sponsored attacks. The Niki malware campaign is notable for its multi-stage attack strategy, which begins with the distribution of seemingly legitimate job description files. These files, crafted to appear as if they come from reputable defense and aerospace firms like General Dynamics and Lockheed Martin, serve as a vehicle for delivering the malware’s primary payload. Once executed, the backdoor provides attackers with comprehensive remote access to victim systems, enabling them to perform a range of malicious activities, including executing commands, downloading additional payloads, and exfiltrating sensitive information. What sets Niki apart from other threats is its sophisticated use of obfuscation techniques designed to evade detection. The malware employs advanced methods of string encryption and communicates with command and control servers using custom protocols over HTTP. This level of technical sophistication indicates that Niki is the product of a highly skilled development team, potentially involving outsourced expertise to enhance its effectiveness and stealth.

Targets

Information Public Administration How they operate The Niki malware campaign begins with a deceptive phishing tactic, where attackers use seemingly innocuous job description files to lure victims. These files, crafted to appear as legitimate documents from prominent aerospace and defense companies like General Dynamics and Lockheed Martin, serve as the initial vector for the malware. Once opened, the job description files execute a primary backdoor payload, marking the start of the infection process. The backdoor component of Niki is notable for its advanced obfuscation techniques. It utilizes sophisticated encryption methods to conceal its operations, making it challenging for traditional security measures to detect and analyze. One of the primary methods of evasion involves encrypting all API names, which are decrypted only at runtime when they are needed. This dynamic approach to encryption complicates reverse engineering and analysis efforts, showcasing the malware’s advanced design. Niki also exhibits a high level of technical sophistication in its communication with command and control (C2) servers. The malware employs custom protocols over HTTP, further obfuscating its traffic and enhancing its ability to avoid detection by conventional network security tools. This method of C2 communication allows Niki to maintain a stealthy presence within infected systems while facilitating the remote execution of commands, additional payload deployment, and data exfiltration. Additionally, researchers have identified evidence of multiple variants of the Niki backdoor, including a Golang-based dropper. This indicates an active and well-resourced development pipeline, capable of producing various iterations of the malware. The dropper itself is designed to be lightweight and effective, ensuring that once the backdoor is installed, it can perform reconnaissance, execute commands, and manage other payloads without detection.

MITRE Tactics and Techniques

Initial Access: Phishing (T1566): The campaign uses job description lures in malicious files to entice targets into executing the malware. Execution: User Execution (T1203): The malware is executed when the victim opens the malicious job description file. Persistence: Scheduled Task/Job (T1053): Niki may create scheduled tasks or jobs to maintain persistence on the infected system. Privilege Escalation: Exploitation of Vulnerability (T1203): The malware may leverage vulnerabilities to escalate privileges, although specific exploitation techniques were not detailed. Defense Evasion: Obfuscated Files or Information (T1027): Niki employs sophisticated obfuscation techniques, including string encryption and custom protocols, to evade detection. Impair Defenses (T1562): The malware’s ability to operate stealthily and evade traditional defenses suggests it may include methods to disrupt or avoid security measures. Command and Control: Custom Command and Control Protocol (T1095): Niki communicates with its command and control servers using custom HTTP protocols, making detection more challenging. Domain Generation Algorithms (T1483): While not explicitly mentioned, the use of custom protocols hints at possible domain generation techniques for resilience. Exfiltration: Exfiltration Over Command and Control Channel (T1041): The malware can exfiltrate data through its command and control channel, facilitating the transfer of sensitive information back to the attackers. Impact: Data Staged (T1074): The malware’s capability to drop additional payloads and exfiltrate data suggests that it might stage data for later exfiltration or manipulation.
References
  • Threat Intelligence Lab’s Post
Tags: APIBackdoorGeneral DynamicsLockheed MartinMalwareNikiNorth Korea
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial