APT37: Final1stspy Reaping the FreeMilk
Contents
Researchers at Palo Alto Networks recently published a report regarding the NOKKI malware, which has shared code with KONNI and, although not in the report by Palo Alto, KimJongRAT (discovered by Paul Rascagnères of Cisco Talos in 2013), and another report on how there is evidence of the NOKKI malware connecting to the North Korean threat actor known as APT37, Reaper, or Group123.
New report by @PaloAltoNtwks on #NOKKI malware with similarities to #KONNI also has code relations to #KimJongRAT in a report from 2013 by @r00tbsd https://t.co/Rc0T8a4o6h pic.twitter.com/QkjiaQJ2wF
— Jay Rosenberg (@jaytezer) September 28, 2018
The malicious document related to NOKKI, using VBScript, downloads a newly discovered malware named Final1stspy, due to the PDB string inside. As noted by Palo Alto Networks, Final1stspy comes in 2 components, the EXE named “LoadDll” with the sole purpose of loading up a DLL payload, internally named “hadowexecute.” After collecting information about the infected computer, the …
New report by @PaloAltoNtwks on #NOKKI malware with similarities to #KONNI also has code relations to #KimJongRAT in a report from 2013 by @r00tbsd https://t.co/Rc0T8a4o6h pic.twitter.com/QkjiaQJ2wF
— Jay Rosenberg (@jaytezer) September 28, 2018
The malicious document related to NOKKI, using VBScript, downloads a newly discovered malware named Final1stspy, due to the PDB string inside. As noted by Palo Alto Networks, Final1stspy comes in 2 components, the EXE named “LoadDll” with the sole purpose of loading up a DLL payload, internally named “hadowexecute.” After collecting information about the infected computer, the …
IoC
01045aeea5198cbc893066d7e496f1362c56a154f093d1a8107cecad8d4e4df2
0669c71740134323793429d10518576b42941f9eee0def6057ed9a4ba87a3a9a
2011b9aa61d280ca9397398434af94ec26ddb6ab51f5db269f1799b46cf65a76
26ad5f8889d10dc45dcf1d3c626416eb604f5fe4a7268e044f17a3ab6ff14e53
65ec544841dbe666d20de086495158128ddffb8b076ddb801a3f2dc250481135
7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df
99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5
ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2
fb94a5e30de7afd1d9072ccedd90a249374f687f16170e1986d6fd43c143fb3a
0669c71740134323793429d10518576b42941f9eee0def6057ed9a4ba87a3a9a
2011b9aa61d280ca9397398434af94ec26ddb6ab51f5db269f1799b46cf65a76
26ad5f8889d10dc45dcf1d3c626416eb604f5fe4a7268e044f17a3ab6ff14e53
65ec544841dbe666d20de086495158128ddffb8b076ddb801a3f2dc250481135
7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df
99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5
ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2
fb94a5e30de7afd1d9072ccedd90a249374f687f16170e1986d6fd43c143fb3a