Nidiran

Nidiran is a form of malware, a harmful software designed to exploit and damage computer systems, often infiltrating systems through suspicious downloads, emails, or websites without the user's knowledge. Nidiran was utilized by Suckfly, a cybercriminal group, in their attacks, where they delivered it through a strategic web compromise. The Nidiran backdoor enabled Suckfly to infect victims' internal hosts and steal information about the compromised organization. However, it remains unclear if Suckfly succeeded in stealing additional data. On April 22, 2015, Suckfly exploited a vulnerability in the targeted employee's Windows operating system, which allowed them to bypass User Account Control and install the Nidiran backdoor, thereby gaining access for their attack. Post-exploitation, Nidiran was delivered via a self-extracting executable that extracted its components to a .tmp folder once executed. This delivery method was part of Suckfly's established modus operandi, using a combination of hacktools and backdoors like Nidiran to achieve their objectives. In-depth analysis of Suckfly malware samples led to the extraction of some communications between the Nidiran backdoor and the Suckfly command and control (C&C) domains. Interestingly, the port and C&C information were found to be encrypted and hardcoded into the Nidiran malware itself. Despite the sophisticated nature of these attacks, the successful analysis of these samples provides valuable insights into the tactics, techniques, and procedures employed by Suckfly, aiding in the development of more effective defenses against such threats.