CyberWire Daily - NOKKI, Reaper and DOGCALL target Russians and Cambodians. [Research Saturday]
Episode Date: January 5, 2019Researchers from Unit 42 at Palo Alto Networks have discovered an interesting relationship between the NOKKI and DOGCALL malware families, as well as a new RAT being used to deploy the malware. Jen Mi...ller-Osborn is Deputy Director of Threat Intelligence with Unit 42, and she joins us to share their findings. The original research can be found here: https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So it actually came about when we were doing research for a blog that we published.
Previous to this, we were looking at other Kani activity,
which is a different malware family that is believed to be used by the group.
That's Jen Miller Osborne.
She's Deputy Director of Threat Intelligence at Palo Alto Network's Unit 42.
And while the researchers were looking at that, they came across what looked to be a related,
pretty similar malware, but one that hadn't been written up or published anywhere that we had seen.
And we decided to call it Noki, which is basically reversing the ends of the I's because they were so similar.
And that's what then led us into the other blog where we found the dog call
and the other new tool that was being used to deliver dog call.
Take us through what did you discover when you started digging into these?
So we initially discovered quite a bit of code overlap between Connie and the new Naki.
And a lot of TTPs also overlapped what was typically seen with the Reaper group.
And then when we found the newer Maurer family, we still found some overlap.
We did not find quite as much as we did between Nauki and Connie, which is why the title of the second piece was almost ties the knot.
Because we couldn't find enough data points to officially say that this is all Reaper.
to officially say that this is all Reaper.
There is the possibility that there's another group that's operating in the region or that looks similar
that's also potentially using some of these tools.
And so there is still some ambiguity on our side,
and we've been trying to talk with some other researchers
following this to see if we can nail that down a little bit better
for if it's all one group or maybe more than one group,
but some of the TTPs and maybe some of the tools are similar. That's something that we're still looking at. And who is the Reaper
group generally believed to be? So other organizations have reported on Reaper and
they typically attribute it to North Korea. I see. So take us through what goes on here.
What does this rat attempt to do? Why don't we start with Noki? Noki was used with some
spear phishing that we saw that were delivering lures that were typically politically motivated
themes, usually centering around targets for Russian or Cambodian speaking individuals or
organizations. And that was the typical spear phishing that you see that people talk about all
the time. There was nothing super advanced about what they did. It was kind of typical spear phishing that you see that people talk about all the time, there was nothing super advanced about what they did.
It was kind of typical spear phishing with malware that's intended to trick people into installing the malware on their system.
And then once it's there, it starts to try to figure out where it is within the network and kind of what sorts of data they might be able to exfil or where they might be able to access within the network.
what sorts of data they might be able to exfil or where they might be able to access within the network.
It's kind of a typical sort of first stage beachhead
that you'll see with a lot of attacks
or that initial malware foothold
to then move on to work on the final objectives,
whether that's espionage related
or maybe just kind of waiting and collecting data.
We don't have final visibility into what they were doing.
What we do have, and from the scene,
makes it seem like
this is probably espionage-related.
There was no real indication that this was just primarily finance-motivated.
I see.
So let's move on to Dog Call and describe what's going on there
and then the similarities between that and Noki.
So Dog Call is one that's been previously reported on and tied with Reaper as
far as we know that we've seen it in other blogs as well. So the interesting part we found here was
we also found a previously unreported malware family while we were researching this, which
was being used to actually deploy doll call. It was more of not quite a little more fully featured
than a dropper,
but kind of similar to that. The name is based on a string in the malware, so it's not particularly
reading friendly. It's roughly final ST spy is kind of what it looks like. So we found these
in a cluster of what we found all of this activity when we were researching it within a cluster using
Nokia. There were some attacks that took place in early July, and they used malicious macros, which is something that a number of groups have gone back to exploiting.
This used to be really popular several years ago.
And just mostly this year, we're seeing a lot of other groups, both criminal and SVNAS-related, that are getting back into using malicious macros. And what has to happen there is the user has to actually click on a button
to allow the payload to run.
An error will come up saying that you need to enable macros
in the word decoy or within the Excel,
and the user has to actually click that button,
enable it to get the malware to run.
And unfortunately, a lot of the lures are crafted in such a way that they look legitimate.
So people do, even though it seems kind of out of character in this day and age,
for people to still go take that extra step.
It's relatively common that they will.
And then once they're there, they're kind of a bit off to the races.
Now the malware is installed in the system, the actors can start moving towards their final objectives.
Now, there were some specific lures
that you found within these here. One of them was from ESPN. There were two in here. One was on the
World Cup, a World Cup predictions kind of file. There was one that was relatively simple. It just
contained the phrase, I miss you with simply the U. And there was another one that was also one
they had taken from online, similar to the World Cup, that was discussing a visit by the North Korean leader to Singapore.
I see.
Yes, and the World Cup article, sorry, was found that was taken from ESPN.
I see.
So once the execution of the malware begins, what happens next?
I guess what I'm getting at is when the World Cup talk runs, it downloads the VBS script file?
Yes.
So it will then download, once it's executed and the macros have been enabled, it will download a VBS script file.
And that contains the same deobfuscation routine that we had seen previously with Dog Call.
we had seen previously with Dog Call.
And the file that it writes is what will end up being used by the new malware family that we discovered that's then being used to download the final Dog Call.
Sorry, last.
It's basically the first aid on the system, but it's the malware that's being installed.
I see.
The final file.
So this new malware that you've discovered, this is the final one, ST-SPY, is that what we're discussing?
Yes, this is the ST-SPY.
It's in an odd space because DogCall is the malware that's finally dropped onto the system.
And what the final ST-SPY is doing, it's essentially the dropper in the middle.
So when a user opens the dock, it runs the macro.
Then there's a VBS script call that goes out looking for this dropper, the final STS spy
malware, which is something that hadn't been seen before. We'd missed the
or we hadn't seen this dropper being used in the middle between the
malicious macro and then finally delivering dog call at the end.
It's a little more fully featured than some droppers, although we're seeing
that more and more where there's more droppers fully featured than some droppers, although we're seeing that more and more.
There's more droppers that can do some basic recon on a system to kind of get the idea of where they might be within a network.
But the final goal of this is to then, it still needs to bring down more fully featured malware that's actually capable of executing a lot more commands and things that the actors would like to do.
So that's why it then brings down dog call.
Dog call is actually a more fully featured Trojan that can do a lot more actions than the dropper can. And are there some specific circumstances that it looks for before it downloads dog call?
Is that correct? Yes. So not only is there a specific routine to obfuscate strings,
which is one of the ways we're able to characterize
this particular dropper.
It looks for a particular file within Windows
on the target, a particular DLL.
And if that is present,
then the malware will load other DLLs
and it's going to try to look for it
to call a specific function.
If for whatever reason,
the initial DLL that it's looking for is not there,
then it will default to looking for a secondary DLL.
Basically, it's looking for the difference between a 32- or 64-bit Windows operating system.
Depending on which one it finds then depends on how it will continue to execute
because how it's going to infect either one will vary slightly
depending on whether it's the 64- or 32-bit. I see. So take me through, what are some of the capabilities of DogCall?
So when DogCall is on the system, it has a number of functionalities or actions that it can do.
It can take screenshots. It can do key logging. It can also record microphone data,
collect the victim information from the system. It can collect key logging. It can also record microphone data, collect victim information from the system.
It can collect files of interest.
It can also download and execute additional payloads.
It primarily uses third-party hosting for C2s, primarily things centered around cloud services,
such as Dropbox, pCloud, Yandex Cloud, as well as Box itself.
Now, do you have any sense in terms of who they're trying to target with this?
Is there any indications on that?
The targets seem to be in line with what you would expect
from any companies located within the kind of EMEA region.
A lot of the targets tend to center around the military and defense industries.
Within Korea, different Middle Eastern organizations that are doing business with either North or South Korea in some cases.
So the targeting for the most part has been kept to that sort of companies involved in that region, whether for business or government purposes.
Now, in terms of being detected by antivirus and so forth, where do we stand with that?
It varies based on the variant the actors have.
They do make efforts to keep this with lower AV detection,
and that's actually something we see relatively often.
It's much more similar for an actor to change a couple of things within a weaponized Word document, say, to lower its detections
versus actually coming up with a new family or coming up with an entire new variant to a family.
So quite often we'll see some smaller changes made to the decoys themselves versus newer variants.
Although between the recent research we've done, we've definitely shown that whoever is behind these attacks,
whether it's one group, whether it's more than
one group, maybe whether perhaps even there's a tool dev that maybe shares things among different
groups that they do, they are actively still working to increase the effectiveness of their
tools and also how many tools they have. We'd found a secondary malware family between the
one blog, then we found a new dropper that hadn't been seen before and we found some interesting code and obfuscation overlaps between all of them so the group is definitely
working to improve their success rates not just by having good lures and decoys that actually look
like something their targets would probably be interested in and want to read and want to open
they're putting the time in as well to improve
their tools so that once they're actually in an environment, they can try to accomplish their
objectives. With all of these tools, it can be somewhat fuzzy and it's still a bit unclear to us
how they all relate together from a wider who is behind all of them perspective. So to be careful
for people that are looking at this, do not just lump them all into being one group.
We noted there were ties with the Reaper.
However, they aren't strong enough that we would say definitively all of these things are one-to-one just to Reaper.
So just for people that are interested, keep that in mind.
And also that if there's anyone that might have other data on this that would like to collaborate with the team, we are always more than happy to talk to other researchers.
Our thanks to Jen Miller-Osborne from Palo Alto Network's Unit 42 for joining us.
The research is titled, Noki Almost Ties the Knot with Dog Call.
Reaper Group Uses New Malware to Deploy Rat.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.