NOKKI (9e4fd0d3-9736-421c-b1e1-96c1d3665c80)
Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks. Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with a group known as Reaper.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Nokki (f3cbe9ca-e65e-41af-8eb2-1e9877434124) | Malpedia | NOKKI (9e4fd0d3-9736-421c-b1e1-96c1d3665c80) | Tool | 1 |