S0353 NOKKI
NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.12
| Item | Value |
|---|---|
| ID | S0353 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 30 January 2019 |
| Last Modified | 18 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | NOKKI has used HTTP for C2 communications.1 |
| enterprise | T1071.002 | File Transfer Protocols | NOKKI has used FTP for C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | NOKKI uses a unique, custom de-obfuscation technique.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | NOKKI can delete files to cover tracks.1 |
| enterprise | T1105 | Ingress Tool Transfer | NOKKI has downloaded a remote module for execution.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.004 | Credential API Hooking | NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim’s machine.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.1 |
| enterprise | T1027 | Obfuscated Files or Information | NOKKI uses Base64 encoding for strings.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | NOKKI has used rundll32 for execution.1 |
| enterprise | T1082 | System Information Discovery | NOKKI can gather information on drives and the operating system on the victim’s machine.1 |
| enterprise | T1016 | System Network Configuration Discovery | NOKKI can gather information on the victim IP address.1 |
| enterprise | T1033 | System Owner/User Discovery | NOKKI can collect the username from the victim’s machine.1 |
| enterprise | T1124 | System Time Discovery | NOKKI can collect the current timestamp of the victim’s machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | 3 |
References
-
Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩