Researchers Link New NOKKI Malware to North Korean Actor
4.10.2018 securityweek Virus
A recently observed variant of the KONNI malware appears tied to a remote access Trojan (RAT) previously attributed to a North Korean actor, Palo Alto Networks security researchers say.
Dubbed NOKKI, the new malware family shows close resemblance and code overlaps with KONNI, a piece of malware long used in attacks targeting the Korean peninsula, and is likely the work of the same developer. The threat has been in use since at least January 2018 and shows ties to the threat group known as Reaper, Palo Alto Networks reveals in a recent post.
NOKKI, the security researchers discovered, was designed to collect a broad range of information from the infected machine (includes IP address, hostname, username, drive information, operating system information, and details on the installed programs), can drop additional malware onto the system, and can also execute decoy documents.
Starting in January, the researchers observed several attacks involving NOKKI, targeting entities in Cambodia and Russia with documents featuring content related to local political matters.
In a report published this week, Palo Alto Networks reveals that NOKKI is related to the DOGCALL malware family, a backdoor previously attributed to the Reaper group and likely in use by this group only. The actor is known for targeting the military and defense industry within South Korea, as well as a Middle Eastern organization doing business with North Korea.
By analyzing malicious macros within Microsoft Word documents designed to drop NOKKI, the researchers discovered that the employed deobfuscation technique was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.
While the NOKKI dropper samples would fetch both a payload and a decoy document, the World Cup malware sample would download and execute a remote VBScript file wrapped in HTML, while also appending text to the original Word document to provide the lure for the victim.
The VBScript file leverages the same unique deobfuscation routine, and fetches and executes a dropper called Final1stspy, which in turn downloads a payload belonging to the DOGCALL malware family.
When installed on a compromised machine, the threat can take screenshots, log keys, capture microphone data, collect victim information, collect files of interest, and download and execute additional payloads.
Communication with the command and control (C&C) is performed via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.
“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group. Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” Palo Alto Networks concludes.