Dogcall Rat links NOKKI malware with Reaper group - indicators provided

News by Mark Mayne

The NOKKI malware family has been linked to the Reaper group through the use of the Dogcall remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands.

A recent string of attacks involving the NOKKI malware family is being attributed to a North Korean hacker group dubbed Reaper according to a detailed new report.

The NOKKI malware family was recently used in attacks Russian and Cambodian speaking individuals or organisations, and has been linked to Reaper group through the use of the Dogcall malware family, the latter exclusively used by the Reaper group.

Dogcall is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands, and has been used by the Reaper group against a range of targets including the military and defence industry in South Korea and politically-motivated attacks.

In a report by researchers from Unit 42, the analysts also note that an entirely new malware family, dubbed Final1stspy, is also in use by the group or close affiliates. In the report, they note that NOKKI malware from July 2018 leveraged malicious macros within a Microsoft Word document, which used a simple obfuscation technique of base64 encoding.

However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string. Comparing the NOKKI deobfuscation routine to an earlier World Cup predictions malware campaign revealed that the routine used between the samples is identical. When the chain of execution completes on the World Cup predictions.doc file, a Dogcall malware sample is executed on the victim's machine.

The new malware dropper identified in the process of the research, Final1stspy, delivers a Dogcall malware payload too, and can perform the following actions on the victim:
Take screenshots
Capture microphone data
Collect victim information
Collect files of interest
Download and execute additional payloads

Ed Williams, director EMEA, SpiderLabs at Trustwave told SC Media UK that: "What is interesting to note from my perspective is the re-use of Tactics, Techniques and Procedures (TTPs) as an appropriate event to lure a user in. As a community we should be more vocal when large events are happening and be mindful of their risks to staff and organisations across the globe.

"The threat actors have obviously found something that works for them and that works well, and they’ve run with it. The only form of ‘mild-sophistication’ is the obfuscation employed, which in reality isn’t that sophisticated. It further emphasises that APTs are not that advanced, and in reality they don’t need to be, which is the most disappointing conclusion to be drawn from this report."

The Reaper group is also known as APT37, Group123, FreeMilk, StarCruft, Operation Daybreak and Operation Erebus, and has been linked with a wide range of sophisticated attacks, in some cases using zero-day Adobe Flash vulnerabilities. Once a system has been compromised, the group deploy a variety of malware tool sets, including the Dogcall RAT, but also ShutterSpeed, and PoorAim, alongside a microphone-hijacking tool called SoundWave, and a package dubbed ZumKong, designed to steal credentials out of browser memory.

Matt Walmsley, EMEA director at Vectra summarised the wider implications: "RATs are an insidious threat with massive scope to impact an organisation through keylogging, eavesdropping conversations, remote execution, and more! Whilst the analysis around "Reaper Group" so far focuses heavily on identification of signatures for the initial infection malware, this approach by its very nature is always behind the threat becoming known and out in the wild.

"It’s simply not enough to build stronger defences; motivated and well-resourced attackers, particularly those from suspected nation state operations will always find a way given enough time and persistence.

"Enterprises should also be taking steps to ensure they can quickly identity active RATs already within their systems, and it’s here that a behavioural approach to detection can identify RATish, and associated command & control (C2) behaviours even if it’s a previously unseen RAT, or C2 tunnel through known and trusted domains.

"However, to do this kind of complex analysis by hand is slow and arduous and can’t be achieved at a meaningful speed or scale to protect the organisation. It’s in this area where automation, powered by AI can assist threat hunters by surfacing RAT and C2 detections, along with contextual information so that security teams can intervene with confidence and speed to isolate and remediate the threat before damage occurs."

Indicators of Compromise
World Cup predictions Sample
Final1stspy Samples

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews