NOKKI Malware Sports Mysterious Link to Reaper APT Group

The Reaper APT group, suspected of being affiliated with North Korea, turns out to have a link to the recently uncovered NOKKI malware family.

Palo Alto’s Unit 42 recently observed NOKKI-laden attacks targeted Russian- and Cambodian-speaking individuals with political lures. NOKKI is a backdoor, first observed between January 2018 to May 2018 using a remote FTP server to ultimately accept commands and download additional modules. Newer versions of NOKKI then started appearing in June 2018 – these use HTTP.

According to Unit 42, the most recent cluster of attacks beginning in July 2018 saw NOKKI – previously seen to have some code overlap with another remote access trojan (RAT) malware called KONNI – making use of malicious macros within a Microsoft Word document.

“These particular macros were not overly complex in nature, and simply would attempt to perform the following actions: Download and run an executable malware payload; and download and open a Microsoft Word decoy document,” said Unit 42 researcher Josh Grunzweig, in a posting on Monday.

What is of note however is a unique obfuscation method used by the backdoor: “To avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64 encoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string,” he said.

After looking for other samples that use this deobfuscation technique, Unit 42 researchers were able to uncover only one other malware that does: A RAT called DogCall, used exclusively by the Reaper group. DogCall can take screenshots, perform keylogging, capture microphone data, collect victim information, collect files of interest, download and execute additional payloads. The malware also communicates with third-party hosting services for C2 channels, including Box, Dropbox, pCloud and Yandex Cloud.

Reaper, a.k.a. APT 37, targets organizations that would be of interest to a nation-state-backed APT group, including military and defense industry targets within South Korea, as well as a Middle Eastern organization that was doing business with North Korea.

The DogCall sample was found in a booby-trapped file that targeted individuals interested in the World Cup hosted in Russia in 2018. The deobfuscation routine used between the sample and NOKKI campaigns was identical. When the chain of execution completes, a DogCall malware sample is executed on the victim machine.

There’s more to the story, however.

“The actual functionality of the macro differed slightly,” Grunzweig said. “The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”

This VBScript file yet again contains the exact same unique deobfuscation routine. But when this second stage VBScript file executes, it begins by writing data to a special file, %APPDATA%\Microsoft\mib.dat. This file will later be used by the just-discovered Final1stspy malware family.

Final1stspy is a dropper malware family. Samples show that two files are involved: An executable file and a DLL. It eventually calls final payload: DogCall.

It’s unclear what the exact nature of the relationship is between Reaper and the authors of NOKKI (or KONNI, for that matter) – and it’s even more muddled because of Reaper’s focus on North Korean interests (a divergent aspect from how NOKKI has been used). However the fact that they are tied at all is notable.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI, lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group,” Grunzweig said. “There are some curious aspects to this relationship, such as commented out North Korean-related lure information and DogCall malware payload.”