NOKKI malware and Reaper threat

A new malware family dubbed NOKKI is being used in politically motivated attacks targeting Russian and Cambodian speaking people and organizations. 

Palo Alto Network’s Unit 42 security researchers identified the NOKKI malware threat and also found ties to threat actor group called Reaper. Unit 42 spotted the malicious activity starting in July 2018.  NOKKI uses malicious macros embedded in a Microsoft Word document. The macros are used to download and run an executable malware payload, as well as download and open a Word decoy document. 

“To avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64 encoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string,” Unit 42 stated. 

Unit 42 further described the Reaper threat and also links to another malware family DOGCALL in the blog post

 “The Reaper group has been publicly attributed to North Korea by other security organizations, targeting organizations that align with the interests of this country. Such targeted organizations include the military and defense industry within South Korea, as well as a Middle Eastern organization that was doing business with North Korea. Part of this group’s modus operandi includes the use of a custom malware family called DOGCALL. DOGCALL is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands. At the time of publication, we observe this particular malware family in use by the Reaper threat actor group only.”

The Unit 42 researchers further surmised that a malware sample, based on its filename, was used to target people interested in the World Cup hosted in Russia in 2018.