- Experts believe that the threat actors behind the KONNI malware may also be operating NOKKI.
- The NOKKI campaign began in January 2018 and the malware has been primarily targeting politically-motivated victims.
A new malware family called NOKKI has been discovered targeting Eurasia and Southeast Asia. Security experts believe that the threat actors behind NOKKI are the same operating the KONNI malware. The NOKKI campaign began in January 2018 and the malware has been primarily targeting South Korea.
According to security researchers at Palo Alto Networks, who discovered the new malware campaign, NOKKI has been targeting politically-motivated victims. The attacks leverage compromised servers, most of which are located in South Korea. Researchers also believe that the operators of NOKKI and KONNI may have tenuous ties with the Reaper APT group.
“The earliest observed attack delivering NOKKI took place in January 2018,” Palo Alto researchers wrote in a blog. “The decoy documents themselves were both created and last modified by an author named Zeus.”
NOKKI malware capabilities
NOKKI comes packed with a variety of data-stealing capabilities. The malware can steal IP addresses, usernames, operating system (OS) information, drive information and more. The malware is also capable of dropping and executing additional payloads and decoy documents.
In three separate attacks - that took place in January, April and May - the decoy documents used by the malware’s operators indicate that the targets may have been located in Cambodia, Russia, and South Korea respectively.
In July 2018, researchers discovered that a South Korean engineering organization was compromised and hosting NOKKI’s C2 infrastructure since May 2018. Palo Alto researchers also discovered that NOKKI’s operators had upgraded the malware to switch from using FTP to HTTP for C2 communication.
NOKKI vs KONNI
Researchers discovered several infrastructure and code similarities between the NOKKI and KONNI malware.
“While we consider these malware families to be separate, we identified some similarities with KONNI. In addition to overlapping infrastructure between KONNI and NOKKI, a NOKKI module used to collect victim information was observed exhibiting very similar characteristics to the KONNI victim information collection function,” Palo Alto researchers said.
Code overlaps, similarities in infrastructure and distribution, as well as overlapping interest in targets suggest that the same threat actor is behind both NOKKI and KONNI. Researchers believe that since January 2018, KONNI operators switched to using the NOKKI malware.
“At this time, we can only speculate who these series of attacks may be attributed to based on tenuous relationships. However, there is significant evidence from our attack telemetry and victimology indicating the operator has a strong interest in specific regions of the world such as Eurasia, the Korean Peninsula, and Southeast Asia,” Palo Alto researchers said.