{
	"id": "5b6c8e5b-689f-4a99-8be1-d7a680b61ff5",
	"created_at": "2026-04-06T00:12:51.718224Z",
	"updated_at": "2026-04-10T13:12:06.61438Z",
	"deleted_at": null,
	"sha1_hash": "18ea4850d71c976190d0a7861a5797040c5d0c60",
	"title": "Another look at Niteris : post exploitation WMI and Fiddler checks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 499996,
	"plain_text": "Another look at Niteris : post exploitation WMI and Fiddler checks\r\nArchived: 2026-04-05 17:31:15 UTC\r\n2015-05-12 - Study\r\nIn this post we'll see some of the improvements that have been brought to Niteris.\r\nDisclaimer : Few configuration were tested, so most probably some added/replaced CVEs are missing.\r\nThe infection chain (should be clean now) :\r\nis the same as the one that has been used on eHow\r\nYou'll notice that the actors registered 20min .eu for the first redirect of traffic from 20min .ch,\r\nv5-static.ehowcdn .biz to mimic v5-static.ehowcdn .com, etc...\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 1 of 15\n\nVT Pdns from first redirector in the infection chained\r\nCompromised eHow redirection chain to Nuclear Pack pushing Dyre - 2015-05-05\r\nand on LiveStrong recently :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 2 of 15\n\nCompromised LiveStrong redirecting to same infection chain/payload as eHow - 2015-05-06\r\nwhich are probably compromised since at least end of 2013 and where CVE-2013-5330 was first encountered...\r\nObviously Niteris has evolved  on the Exploit integration side.\r\nCVE-2014-0569 :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 3 of 15\n\nNiteris  firing code to exploit CVE-2014-0569\r\nFlash Sample : 22ea8dd623c0f44e352ac7f3618a918b1f52a14552eec6c2d10ce0ff744bb66f\r\nCVE-2014-6332 :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 4 of 15\n\nNiteris firing code to exploit CVE-2014-6332\r\nSent code : http://pastebin.com/raw.php?i=2hU1kDi6\r\nCode after js deobfuscation : http://pastebin.com/B5ihgFgv\r\nCode after vbs deobfuscation : http://pastebin.com/wrBeGxzM\r\nCVE-2015-0311 :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 5 of 15\n\nNiteris successfully exploiting CVE-2015-0311 to push Ursnif\r\n2015-05-07\r\nFlash Sample : d438be33030b2ed20a3db52031e110034119111cb116ab58bd393da49d6d0efe\r\nCVE-2015-0336 :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 6 of 15\n\nIncomplete pass of Niteris Firing CVE-2015-0336\r\n2015-05-04\r\nFlash Sample : d3a08acd97ee8f9d9fe0e530e34c42bb7d6e78c89021725393116bd5b5907df2\r\nbut here are some less expected stuff  :\r\nCVE-2013-1710 \u0026  CVE-2012-3993 (Firefox Exploit - seems to be an implementation of this metasploit module)\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 7 of 15\n\nNiteris sending code to exploit CVE-2013-1710 \u0026  CVE-2012-3993\r\n2015-05-07\r\nPost exploitation AntiVM / Fiddler :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 8 of 15\n\nNiteris call for post exploitation checks\r\nNote fake user agent.\r\n2015-05-07\r\nSent code : http://pastebin.com/mCu7AzGh\r\nCode after js deobfuscation : http://pastebin.com/UV51KECp\r\nCode after vbs deobfuscation :  http://pastebin.com/VE4L48cz\r\nSo after exploitation some WMI checks are made to gather data on the system (Security Center, running\r\nprocesses...)\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 9 of 15\n\nNiteris Checks based on WMI query and read of Fiddler default error on non resolving domains\r\n2015-05-07\r\nIf Niteris spot that you are running Fiddler or inside a VM, you'll be dropped before gathering the payload.\r\nHere you can see a Virtualbox using Fiddler as proxy sending data to the EK\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 10 of 15\n\nNiteris after close() function post Data showing that it has  spotted\r\nboth VirtualBox and Fiddler (outside of the VM)\r\n2015-05-07\r\nFiddler Side note :\r\nLooking at the customrules.js you'll read that this function \"OnReturningError(oSession: Session)\" executes just\r\nbefore Fiddler returns an error.\r\nThis is where the Niteris check can be defeated by modifying the response.\r\nIn the deofuscated code,we can see the decoding routine :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 11 of 15\n\nPayload decoding routine\r\nXor (key [g_xk] : 97dc6e7aaa9c089d0ed82ebfd9fca4fe)\r\nskipping 0 and matching bytes\r\nThe script is also using WMI to ensure the payload has been properly executed\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 12 of 15\n\nNiteris routine to ensure payload is running as expected\r\n2015-05-07\r\nOnce done a call back (with post data ) is made to the EK\r\n(contains Model and Security products. They should be able to figure out when an Antivirus Vendor is catching\r\nthem, the same way Antivirus Vendor are able to figure out when they miss an EK : no more hits in the telemetry\r\n:D)\r\n[Edit 2015-09-15 :]\r\nNote that depending on IntegrityLevel of the process, the drop won't be executed the same way.\r\ng_ulvl = intlvl_identifier();\r\nvar f, Paths = (g_ulvl) ? ['%commonprogramfiles%\\\\System\\\\', '%allusersprofile%\\\\Microsoft\\\\Windows\\\\',\r\n'%allusersprofile%\\\\', '%appdata%\\\\Microsoft\\\\', '%userprofile%\\\\', '%tmp%\\\\Low\\\\', '%tmp%\\\\acro_rd_dir\\\\'] :\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 13 of 15\n\n['%appdata%\\\\..\\\\LocalLow\\\\', '%userprofile\\\\AppData\\\\LocalLow\\\\'];\r\nWith UAC deactivated :\r\nrundll32 SHELL32.dll,ShellExec_RunDLL \"C:\\Windows\\SysWOW64\\rundll32\" \"C:\\Program Files\r\n(x86)\\Common Files\\System\\Windows6.1-KB9739367-x64.sys\",DllRegisterServer\r\nand a Post call back like : /crash/report/0/11111/With UAC activated :\r\nand a Post call back  like : /crash/report/0/11110/\r\n[/Edit]\r\nFiles: Niteris_2015-05-12.zip.\r\nThanks to @UnicornSec for the working Referer\r\nSpecial thanks to @DarienHuss for the impulse and help!\r\nThanks to @TimoHirvonen (F-Secure)  for flash CVE identification.\r\n[Edit 2015-09-10 : Got another encounter]\r\nFiles: Fiddler and payload here (password malware)\r\nSummup of the filtering.\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 14 of 15\n\nNiteris - 2015-09-10 - Multi-layer filtering.\r\nThis is being done the right way :)\r\n[/Edit]\r\nRead More :\r\nSource: https://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nhttps://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html\r\nPage 15 of 15\n\n https://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html \nNiteris successfully exploiting CVe-2015-0311 to push Ursnif\n2015-05-07  \nFlash Sample : d438be33030b2ed20a3db52031e110034119111cb116ab58bd393da49d6d0efe \nCVe-2015-0336 : \n  Page 6 of 15\n\n  https://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html \nNiteris sending code to exploit CVe-2013-1710 \u0026 CVe-2012-3993\n2015-05-07   \nPost exploitation AntiVM / Fiddler : \n   Page 8 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html"
	],
	"report_names": [
		"another-look-at-niteris-post.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434371,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18ea4850d71c976190d0a7861a5797040c5d0c60.pdf",
		"text": "https://archive.orkl.eu/18ea4850d71c976190d0a7861a5797040c5d0c60.txt",
		"img": "https://archive.orkl.eu/18ea4850d71c976190d0a7861a5797040c5d0c60.jpg"
	}
}