Since early 2018, a threat actor has been attempting to infect Russian and Cambodian political targets with a newly discovered malicious remote administration tool (RAT) that researchers believe could have North Korean connections.
Palo Alto Networks’ Unit 42 threat research team, which uncovered the malware, refers to it as NOKKI because it shares overlapping code and infrastructure with KONNI, another RAT that for the last four years has been spread through phishing documents often containing themes pertaining to the Korean peninsula.
What’s more, NOKKI has connections to the presumed North Korean APT group Reaper (aka Group 123), which is known for its ROKRAT or DOGCALL malware, Unit 42 explained in a pair of recently published blog posts.
NOKKI is most like KONNI in the manner it collects information from an infected machine, including its IP address, host name, user name, driver information, operating system and installed programs. “Based on the similarities witnessed, we think it is highly probable there is some amount of code sharing and likely a single adversary group involved,” stated researchers and blog post co-authors Josh Grunzweig and Bryan Lee in the first of two reports.
The malware, which can also drop and execute payloads and produce decoy documents, is also distributed similarly to KONNI — via email phishing campaigns. However, NOKKI differs from its predecessor in that it is highly modular in nature, its infection chain involves more steps, and it and relies on compromised legitimate servers for its command-and-control communications. Victimized servers include ones operated by South Korean science and tech website and a South Korean engineering organization, Unit 42 has reported.
Researchers say the NOKKI attacks can be divided into two waves of attacks — the first beginning in January 2018 and the second running through at least July. The attacks from January through May relied on the FTP protocol for C2 communications, while later attacks used a separate NOKKI variant that relies on HTTP.
But it’s the July attacks that are perhaps the most interested, due to their use of an unusual string obfuscation routine that researchers observed in a previous phishing scheme targeting fans of the World Cup in Russia. This phishing campaign infected users with ROKRAT malware, which is associated solely with Reaper/Group 123 threat group that is widely believed to operate on behalf of North Korea.
Another clue North Korea could be involved: the decoy documents used in the phishing campaign included not only World Cup lure content, but also an unrelated reference to a North Korean official visiting Singapore.
The earlier wave of NOKKI phishing attacks attempted to trick victims into opening a malicious Microsoft Windows executable file disguised as PDF file, using lures featuring a Cambodian political theme, written in Cambodian.
Later, the perpetrators switched gears to target Russian interests, distributing malicious emails written in Cyrillic. For instance, an April attack that leveraged a malicious executable with an .scr extension had a file name referring to the Russian Ministry of Foreign Affairs, and featured content detailing a meeting between officials from Russian and Uzbekistan.
Further investigation turned up an additional dropper malware family called Final1stspy that delivers a payload in the ROKRAT/DOGCALL family that has various spyware capabilities, including taking screenshots, keylogging, capturing microphone data, collecting files and user information, and downloading more payloads.