Niki (Backdoor) – Malware

Overview

In a significant development within the realm of cyber espionage, researchers have unveiled a new and highly sophisticated malware campaign, dubbed “Niki,” that appears to be linked to North Korean hackers. This advanced threat specifically targets aerospace and defense companies, leveraging a previously undocumented backdoor that demonstrates the evolving capabilities of North Korean cyber operations. As the cyber threat landscape becomes increasingly complex, the emergence of Niki highlights the ongoing challenges faced by organizations in securing their systems against state-sponsored attacks.

The Niki malware campaign is notable for its multi-stage attack strategy, which begins with the distribution of seemingly legitimate job description files. These files, crafted to appear as if they come from reputable defense and aerospace firms like General Dynamics and Lockheed Martin, serve as a vehicle for delivering the malware’s primary payload. Once executed, the backdoor provides attackers with comprehensive remote access to victim systems, enabling them to perform a range of malicious activities, including executing commands, downloading additional payloads, and exfiltrating sensitive information.

What sets Niki apart from other threats is its sophisticated use of obfuscation techniques designed to evade detection. The malware employs advanced methods of string encryption and communicates with command and control servers using custom protocols over HTTP. This level of technical sophistication indicates that Niki is the product of a highly skilled development team, potentially involving outsourced expertise to enhance its effectiveness and stealth.

Targets

Information
Public Administration

How they operate

The Niki malware campaign begins with a deceptive phishing tactic, where attackers use seemingly innocuous job description files to lure victims. These files, crafted to appear as legitimate documents from prominent aerospace and defense companies like General Dynamics and Lockheed Martin, serve as the initial vector for the malware. Once opened, the job description files execute a primary backdoor payload, marking the start of the infection process.

The backdoor component of Niki is notable for its advanced obfuscation techniques. It utilizes sophisticated encryption methods to conceal its operations, making it challenging for traditional security measures to detect and analyze. One of the primary methods of evasion involves encrypting all API names, which are decrypted only at runtime when they are needed. This dynamic approach to encryption complicates reverse engineering and analysis efforts, showcasing the malware’s advanced design.

Niki also exhibits a high level of technical sophistication in its communication with command and control (C2) servers. The malware employs custom protocols over HTTP, further obfuscating its traffic and enhancing its ability to avoid detection by conventional network security tools. This method of C2 communication allows Niki to maintain a stealthy presence within infected systems while facilitating the remote execution of commands, additional payload deployment, and data exfiltration.

Additionally, researchers have identified evidence of multiple variants of the Niki backdoor, including a Golang-based dropper. This indicates an active and well-resourced development pipeline, capable of producing various iterations of the malware. The dropper itself is designed to be lightweight and effective, ensuring that once the backdoor is installed, it can perform reconnaissance, execute commands, and manage other payloads without detection.

MITRE Tactics and Techniques

Initial Access:

Phishing (T1566): The campaign uses job description lures in malicious files to entice targets into executing the malware.

Execution:

User Execution (T1203): The malware is executed when the victim opens the malicious job description file.

Persistence:

Scheduled Task/Job (T1053): Niki may create scheduled tasks or jobs to maintain persistence on the infected system.

Privilege Escalation:

Exploitation of Vulnerability (T1203): The malware may leverage vulnerabilities to escalate privileges, although specific exploitation techniques were not detailed.

Defense Evasion:

Obfuscated Files or Information (T1027): Niki employs sophisticated obfuscation techniques, including string encryption and custom protocols, to evade detection.
Impair Defenses (T1562): The malware’s ability to operate stealthily and evade traditional defenses suggests it may include methods to disrupt or avoid security measures.

Command and Control:

Custom Command and Control Protocol (T1095): Niki communicates with its command and control servers using custom HTTP protocols, making detection more challenging.
Domain Generation Algorithms (T1483): While not explicitly mentioned, the use of custom protocols hints at possible domain generation techniques for resilience.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): The malware can exfiltrate data through its command and control channel, facilitating the transfer of sensitive information back to the attackers.

Impact:

Data Staged (T1074): The malware’s capability to drop additional payloads and exfiltrate data suggests that it might stage data for later exfiltration or manipulation.

References

• Threat Intelligence Lab’s Post