silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,178
Palo Alto’s Unit 42 recently observed NOKKI-laden attacks targeted Russian- and Cambodian-speaking individuals with political lures. NOKKI is a backdoor, first observed between January 2018 to May 2018 using a remote FTP server to ultimately accept commands and download additional modules. Newer versions of NOKKI then started appearing in June 2018 – these use HTTP.
According to Unit 42, the most recent cluster of attacks beginning in July 2018 saw NOKKI – previously seen to have some code overlap with another remote access trojan (RAT) malware called KONNI – making use of malicious macros within a Microsoft Word document.
“These particular macros were not overly complex in nature, and simply would attempt to perform the following actions: Download and run an executable malware payload; and download and open a Microsoft Word decoy document,” said Unit 42 researcher Josh Grunzweig, in a posting on Monday.