DOGCALL

Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptance. Dogcall's primary function is to exploit and damage computer systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. A recent investigation by Volexity discovered Dogcall being delivered alongside another malware called BLUELIGHT. This discovery indicates an active development and maintenance of the backdoor malware, with adaptations made for different platforms such as macOS (CloudMensis) and Android (RambleOn). The APT37 group's modus operandi includes the use of a custom malware family, such as Dogcall. AutoFocus customers can track this threat via various tags including KONNI, NOKKI, Final1stspy, Dogcall, and Reaper. Interesting aspects of the relationship between Dogcall and its users include commented out North Korean-related lure information and Dogcall malware payload. The payload has been identified as part of the Dogcall malware family, which is attributed to the Reaper group, linked to North Korea by several security organizations. When executed, the malware deploys on the victim machine from files like "World Cup predictions.doc". This blog details the relationship found between the NOKKI and Dogcall malware families and introduces Final1stspy, a previously unreported malware family used to deploy Dogcall.