Threat Research

Iluria Stealer; a Variant of Another Discord Stealer – CYFIRMA

Cyfirma

Iluria Stealer is a new variant linked to Nikki Stealer that targets Discord and browser data, operated by a group including Ykg, Noxty, Outlier, and Ness. It uses an NSIS installer with an obfuscated Electron app to decrypt and inject malicious code into Discord, exfiltrating tokens, passwords, and autofill data to a C2 server.

Keypoints

  • Iluria Stealer is a new Discord/browser-stealer variant connected to Nikki Stealer and SonicGlyde, with four operators (Ykg, Noxty, Outlier, Ness).
  • Delivery involves an NSIS installer housing an obfuscated Electron app that decrypts code at runtime and injects into Discord’s index.js to contact a C2 server (api.nikkistealer.shop).
  • The malware steals Discord tokens, browser passwords, Autofill data, and Cookies, decrypting data from Local State, Login Data, Web Data, and Cookies files by browser type.
  • It can terminate processes and may target related accounts (crypto exchanges, banks) using stolen browser and account information.
  • IP geolocation is gathered via ipinfo.io, and C2 communications are observed with api.nikkistealer.shop; several IOCs are linked to Iluria’s operations and hosting (Hostinger).
  • Recent developments include version 2 (May 11, 2024) and a transition of Nikki Stealer’s community to Iluria Stealer, with cross-channel promotion and a Hostinger-hosted presence.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The malware injects malicious code into Discord’s index.js and downloads a malicious JavaScript file to replace Discord’s index.js, ensuring code runs on start. “The modifications… are appended to the index.js file, ensuring that the malicious code runs whenever Discord is started.”
  • [T1071] Application Layer Protocol – The stealer communicates with a C2 server via HTTP GET requests to api.nikkistealer.shop to retrieve commands or updates. “making GET requests to the Command and Control (C2) server api[.]nikkistealer[.]shop.”
  • [T1057] Process Discovery – The malware enumerates running processes to determine what to terminate or manipulate, e.g., “obtaining a list of running tasks potentially used for analysis… ‘taskkill’ is used to terminate each one.”

Indicators of Compromise

  • [SHA-256] Iluria Stealer binary – b66ce85c6942855970fe939a31459e5b7489e6d2c4bbe0d9d89cb8a863082e1c
  • [MD5] Iluria Stealer binary – f13115afbc6c7440771aa8b26daa1494
  • [Domain] C2 domain – api.nikkistealer.shop
  • [Domain] Related domain – Badgeshop.site
  • [SHA-256] Similar Malware variant – 865d5423ec49f96d005cb0b1561a966d8b66f3f2fec7f10a8738d97ffb711990
  • [SHA-256] Related malware variant – 8681456f3f5829f67a2d429b7095715b1b65a7be1aa5e90b9ec5945aa22a099b
  • [Filename] Primary executable – dskadksa-1d7Izx3B5.exe

Read more: https://www.cyfirma.com/research/iluria-stealer-a-variant-of-another-discord-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint