Palo Alto’s Unit 42 recently observed
NOKKI-laden attacks targeted Russian- and Cambodian-speaking individuals with political lures. NOKKI is a backdoor, first observed between January 2018 to May 2018 using a remote FTP server to ultimately accept commands and download additional modules. Newer versions of NOKKI then started appearing in June 2018 – these use HTTP.
According to Unit 42, the most recent cluster of attacks beginning in July 2018 saw NOKKI – previously seen to have some code overlap with another remote access trojan (RAT) malware called
KONNI – making use of malicious macros within a Microsoft Word document.
“These particular macros were not overly complex in nature, and simply would attempt to perform the following actions: Download and run an executable malware payload; and download and open a Microsoft Word decoy document,” said Unit 42 researcher Josh Grunzweig, in
a posting on Monday.
