NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Contents
This post is also available in: 日本語 (Japanese)
Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this research, an interesting tie was discovered to the threat actor group known as Reaper.
The Reaper group has been publicly attributed to North Korea by other security organizations, targeting organizations that align with the interests of this country. Such targeted organizations include the military and defense industry within South Korea, as well as a Middle Eastern organization that was doing business with North Korea. Part of this group’s modus operandi includes the use of a custom malware family called DOGCALL. DOGCALL is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands. At the time of publication, we observe this particular malware family in use by the Reaper threat actor …
Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this research, an interesting tie was discovered to the threat actor group known as Reaper.
The Reaper group has been publicly attributed to North Korea by other security organizations, targeting organizations that align with the interests of this country. Such targeted organizations include the military and defense industry within South Korea, as well as a Middle Eastern organization that was doing business with North Korea. Part of this group’s modus operandi includes the use of a custom malware family called DOGCALL. DOGCALL is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands. At the time of publication, we observe this particular malware family in use by the Reaper threat actor …
IoC
05d43d417a8f50e7b23246643fc7e03d
0669c71740134323793429d10518576b42941f9eee0def6057ed9a4ba87a3a9a
0f1d3ed85fee2acc23a8a26e0dc12e0f
3d161de48d3f4da0aefff685253404c8b0111563
3fee068bf90ffbeb25549eb52be0456609b1decfe91cda1967eb068ef2c8918f
66a0c294ee8f3507d723a376065798631906128ce79bd6dfd8f025eda6b75e51
67c05b3937d94136eda4a60a2d5fb685abc776a1
741dbdb20d1beeb8ff809291996c8b78585cb812
a2fe5dcb08ae8b72e8bc98ddc0b918e7
d13fc918433c705b49db74c91f56ae6c0cb5cf8d
e02024f38dfb6290ce0d693539a285a9
fb94a5e30de7afd1d9072ccedd90a249374f687f16170e1986d6fd43c143fb3a
http://kmbr1.nitesbr1.org
http://kmbr1.nitesbr1.org/UserFiles/File/image/home.html
http://kmbr1.nitesbr1.org/UserFiles/File/image/index.php
http://kmbr1.nitesbr1.org/UserFiles/File/images/happy.jpg
http://kmbr1.nitesbr1.org/UserFiles/File/images/wwwtest.jpg
0669c71740134323793429d10518576b42941f9eee0def6057ed9a4ba87a3a9a
0f1d3ed85fee2acc23a8a26e0dc12e0f
3d161de48d3f4da0aefff685253404c8b0111563
3fee068bf90ffbeb25549eb52be0456609b1decfe91cda1967eb068ef2c8918f
66a0c294ee8f3507d723a376065798631906128ce79bd6dfd8f025eda6b75e51
67c05b3937d94136eda4a60a2d5fb685abc776a1
741dbdb20d1beeb8ff809291996c8b78585cb812
a2fe5dcb08ae8b72e8bc98ddc0b918e7
d13fc918433c705b49db74c91f56ae6c0cb5cf8d
e02024f38dfb6290ce0d693539a285a9
fb94a5e30de7afd1d9072ccedd90a249374f687f16170e1986d6fd43c143fb3a
http://kmbr1.nitesbr1.org
http://kmbr1.nitesbr1.org/UserFiles/File/image/home.html
http://kmbr1.nitesbr1.org/UserFiles/File/image/index.php
http://kmbr1.nitesbr1.org/UserFiles/File/images/happy.jpg
http://kmbr1.nitesbr1.org/UserFiles/File/images/wwwtest.jpg