NOKKI

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
NOKKI is a malicious software (malware) that was first identified in January 2018, with activities traced throughout the year. It originated from an investigation into a new malware family named NOKKI, which showed significant code overlap and other ties to KONNI, a previously identified malware. This led to the discovery of NOKKI's connection to the Reaper threat actor group. The malware is modular and has evolved over time, shifting from FTP to HTTP for Command and Control (C2) operations. Moreover, similarities in the tactics used to deliver NOKKI suggest that the same actors behind KONNI are likely operating NOKKI. The NOKKI malware family is related to other malware families, including DOGCALL and Final1stspy. The latter was a previously unreported malware family used to deploy DOGCALL and was named based on a pdb string found in the malware. NOKKI operates by downloading both a payload and a decoy document. In one instance, it was observed using a World Cup predictions malware sample that downloads and executes a remote VBScript file wrapped in HTML while appending text to the original Word document as a lure for the victim. Throughout 2018, Unit 42 released several blogs on Konni Group activity and subsequently identified two new malware families being used in attacks: NOKKI and CARROTBAT. An attack delivering the NOKKI payload was observed in early April 2018. Once executed and persistence established, NOKKI connects to a specific IP address for C2 communication via FTP. All known samples of NOKKI maintain a malware verdict in WildFire, indicating its persistent threat. Based on the information gathering module analysis, it is highly probable that the NOKKI operators are identical to the KONNI operators.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
KONNI
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
CARROTBAT
1
Carrotbat is a malicious software, or malware, first discovered in December 2017 during an attack. The discovery was made by Unit 42, which dubbed the malware family "Carrotbat". It was found to be related to another attack on a British government agency due to overlaps within the attack infrastruct
Final1stspy
1
Final1stspy is a previously unreported malware family that has been discovered and named based on a pdb string found in the malware. This harmful software, designed to exploit and damage computer systems, is closely related to the NOKKI and DOGCALL malware families, used as a deployment mechanism fo
DOGCALL
1
Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Payload
Dropper
Malware
Decoy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ReaperUnspecified
1
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
Konni GroupUnspecified
1
The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the NOKKI Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
New KONNI Malware attacking Eurasia and Southeast Asia
MITRE
a year ago
NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
MITRE
a year ago
The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks