New KONNI Malware attacking Eurasia and Southeast Asia
Contents
This post is also available in: 日本語 (Japanese)
Introduction
Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.
Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known …
Introduction
Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.
Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known …
IoC
02ee6302436250e1cee1e75cf452a127b397be8d
0657f788e89a437a1e6fe2630c19436736aa55dcf255540698864a7576192611
07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9
0d98ca35b29d2a9f7ca6908747c457ebdba999f0e83e182f770848e2335ade5b
101.129.1.104
141.223.125.112
145.14.145.32
1cc8ceeef9a2ea4260fae03368a9d07d56e8331b
210.112.239.74
2b6b6f24f58072a02f03fa04deaccce04b6bb43b
42fbea771f3e0ff04ac0a1d09db2a45e
48f031f8120554a5f47259666fd0ee02
4e84f97bb61c2d373a574676fa374131460839ecc7b53064f558ce7ce55528ad
5137f6a59c2c7a54f1a5fc9a9650972b17d52dd0e203f5abefedf5c593c41ff0
74ddd56b1e33aa3752f143a77e5802a5803fd2c222f2cca77bfa5c740dfc8f5e
88587c43daff30cd3cc0c913a390e9df
9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10
9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd
ae27e617f4197cd30cc09fe784453cd4
b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311
c07bea0928a35b9292eebab32563378d01d95434d098e5c7c076e94866a14212
c3172b403068aabc711b7cbe4d923ae1fa705ce11c4cc71271fde83ce751c21c
d211815177ce4b9fd2d3c258d2fc6282c23b8458d71f8f6f0df06a9dda89c12f
d5fc0ef2d1ed037b5b6389882f9bb4ea15a6b41f21cdc0f5e90752f4e687445c
d92c94423ec3d01ad584a74a38a2e817449648a4da3f12d345c611edc5c4cdbd
dc739ca07585eab7394843bc4dba2faca8e5bfe0
dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae
fd673703c502be907919a4ff2922b7b969d96d206abc572a5cb83e69ab32ca18
http://101.129.1.104
http://141.223.125.112
http://145.14.145.32
http://210.112.239.74
http://files.000webhost.com
http://mail.removed.co.kr/./pds/data/[id]-down
http://mail.removed.co.kr/./pds/data/upload.php
http://mail.removed.co.kr/./pds/down
http://mail.removed.co.kr/common
http://mail.removed.co.kr/common/doc
http://mail.removed.co.kr/common/exe
http://mail.removed.co.kr/de/de_includes/mail/yandex.ru/download.php
0657f788e89a437a1e6fe2630c19436736aa55dcf255540698864a7576192611
07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9
0d98ca35b29d2a9f7ca6908747c457ebdba999f0e83e182f770848e2335ade5b
101.129.1.104
141.223.125.112
145.14.145.32
1cc8ceeef9a2ea4260fae03368a9d07d56e8331b
210.112.239.74
2b6b6f24f58072a02f03fa04deaccce04b6bb43b
42fbea771f3e0ff04ac0a1d09db2a45e
48f031f8120554a5f47259666fd0ee02
4e84f97bb61c2d373a574676fa374131460839ecc7b53064f558ce7ce55528ad
5137f6a59c2c7a54f1a5fc9a9650972b17d52dd0e203f5abefedf5c593c41ff0
74ddd56b1e33aa3752f143a77e5802a5803fd2c222f2cca77bfa5c740dfc8f5e
88587c43daff30cd3cc0c913a390e9df
9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10
9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd
ae27e617f4197cd30cc09fe784453cd4
b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311
c07bea0928a35b9292eebab32563378d01d95434d098e5c7c076e94866a14212
c3172b403068aabc711b7cbe4d923ae1fa705ce11c4cc71271fde83ce751c21c
d211815177ce4b9fd2d3c258d2fc6282c23b8458d71f8f6f0df06a9dda89c12f
d5fc0ef2d1ed037b5b6389882f9bb4ea15a6b41f21cdc0f5e90752f4e687445c
d92c94423ec3d01ad584a74a38a2e817449648a4da3f12d345c611edc5c4cdbd
dc739ca07585eab7394843bc4dba2faca8e5bfe0
dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae
fd673703c502be907919a4ff2922b7b969d96d206abc572a5cb83e69ab32ca18
http://101.129.1.104
http://141.223.125.112
http://145.14.145.32
http://210.112.239.74
http://files.000webhost.com
http://mail.removed.co.kr/./pds/data/[id]-down
http://mail.removed.co.kr/./pds/data/upload.php
http://mail.removed.co.kr/./pds/down
http://mail.removed.co.kr/common
http://mail.removed.co.kr/common/doc
http://mail.removed.co.kr/common/exe
http://mail.removed.co.kr/de/de_includes/mail/yandex.ru/download.php