NOKKI

NOKKI is a malicious software (malware) that was first identified in January 2018, with activities traced throughout the year. It originated from an investigation into a new malware family named NOKKI, which showed significant code overlap and other ties to KONNI, a previously identified malware. This led to the discovery of NOKKI's connection to the Reaper threat actor group. The malware is modular and has evolved over time, shifting from FTP to HTTP for Command and Control (C2) operations. Moreover, similarities in the tactics used to deliver NOKKI suggest that the same actors behind KONNI are likely operating NOKKI. The NOKKI malware family is related to other malware families, including DOGCALL and Final1stspy. The latter was a previously unreported malware family used to deploy DOGCALL and was named based on a pdb string found in the malware. NOKKI operates by downloading both a payload and a decoy document. In one instance, it was observed using a World Cup predictions malware sample that downloads and executes a remote VBScript file wrapped in HTML while appending text to the original Word document as a lure for the victim. Throughout 2018, Unit 42 released several blogs on Konni Group activity and subsequently identified two new malware families being used in attacks: NOKKI and CARROTBAT. An attack delivering the NOKKI payload was observed in early April 2018. Once executed and persistence established, NOKKI connects to a specific IP address for C2 communication via FTP. All known samples of NOKKI maintain a malware verdict in WildFire, indicating its persistent threat. Based on the information gathering module analysis, it is highly probable that the NOKKI operators are identical to the KONNI operators.