Malware
NikiTeaR
NikiTeaR is a sophisticated, custom-developed RAT, which is a rewritten variant of the NikiHTTP (aka NikiTea) RAT.
NikiTeaR is a sophisticated, custom-developed RAT, which is a rewritten variant of the NikiHTTP (aka NikiTea) RAT.
It supports the following commands:
- srun <EXEC> <ARGS>: Executing arbitrary commands with elevated privileges.
- up/down <FILENAME>: Performing remote file operations (upload/download).
- screen: Capturing screenshots for reconnaissance.
- conn <IP_ADDRESS> <PORT>: Establishing a reverse shell
- memload <EXPORT>: Loading additional DLL into memory.
- die <COMMAND>: Terminates the process and remove trace
It is delivered via a multi-staged execution chain, beginning with a Golang-based dropper that executes a loader, a DLL with the internal name MemLoad_V3.dll, capable of loading DLL reflectively.
Its internal DLL name is httptroy_dll.dll.
To resist analysis, the backdoor is heavily obfuscated; it utilizes custom hashing to conceal Windows API calls, and employs a combined Base64+XOR encryption for C&C traffic and internal character strings, which are dynamically reconstructed at runtime.
Family metadata imported from Malpedia (Fraunhofer FKIE).