1. Home
  2. Software
  3. NOKKI

NOKKI

NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[1][2]

ID: S0353
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 30 January 2019
Last Modified: 18 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[1]
Enterprise T1140 反混淆/解码文件或信息

NOKKI uses a unique, custom de-obfuscation technique.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

NOKKI has used HTTP for C2 communications.[1]
.002 应用层协议: File Transfer Protocols

NOKKI has used FTP for C2 communications.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.[1]
Enterprise T1027 混淆文件或信息

NOKKI uses Base64 encoding for strings.[1]
Enterprise T1070 .004 移除指标: File Deletion

NOKKI can delete files to cover tracks.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

NOKKI has used rundll32 for execution.[1]
Enterprise T1082 系统信息发现

NOKKI can gather information on drives and the operating system on the victim’s machine.[1]
Enterprise T1033 系统所有者/用户发现

NOKKI can collect the username from the victim’s machine.[1]
Enterprise T1124 系统时间发现

NOKKI can collect the current timestamp of the victim's machine.[1]
Enterprise T1016 系统网络配置发现

NOKKI can gather information on the victim IP address.[1]
Enterprise T1105 输入工具传输

NOKKI has downloaded a remote module for execution.[1]
Enterprise T1056 .004 输入捕获: Credential API Hooking

NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.[1]

Groups That Use This Software

ID Name References
G0094 Kimsuky

[3]

References

  1. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  2. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.