Page 115 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 115
Introduction
Nikki Stealer v1 was initially discovered on Telegram, where the developer showcased its undetectable
capabilities. We managed to gather details about the older version of Nikki Stealer. The malware's
developer, Sk4yx, operates primarily from Discord, where he shares the latest insights and recent
developments of the stealer, primarily in Portuguese. The latest version (v9) is now available for
purchase: this version is capable of stealing browser cookies, credentials, and other sensitive data, and
is developed using the Electron framework by GitHub. Interestingly, we have observed similarities in
source code between Nikki Stealer and Fewer Stealer.
Key Findings
Nikki Stealer drops PE (Portable Executable) files into the startup folder, ensuring it runs automatically
every time the system starts up.
The malware attempts to harvest and steal browser information, including browsing history, and
passwords.
Nikki Stealer tries to load missing Dynamic Link Libraries (DLLs), which could be necessary for its proper
functioning or to extend its capabilities.
The malware is built using the Electron framework, enabling the development of cross-platform desktop
applications using web technologies like JavaScript, HTML, and CSS.
Behavioral Analysis
File Name Cum3d_Setup.exe, nikki 1.1.4 (1).exe
File Size 66.47 Mb
Signed Not Signed
MD5 Hash a4317a8d4595f181c56efa6b3be6c14b
SHA-256 Hash 0fa64d5ad4c84011bef6e838d0f70121a3af53df5dbc3b5f5f0c16a8fb495244
First Seen in the Wild October 2023
th
At the time of analysis, i.e. March 10 , 2024, the stealer is flagged as malicious by only 2 vendors.
115
