Research Saturday 1.5.19
Ep 67 | 1.5.19

NOKKI, Reaper and Dogcall target Russians and Cambodians.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:22] And now a quick word about our sponsor, Juniper Networks. They're empowering you to automate your security, see your networks, and protect your clouds. Juniper Networks has you covered so your security teams can finally get back to fortifying your security posture. Learn more at, or connect with Juniper on Twitter or Facebook. That's And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:55] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Jen Miller-Osborn: [00:01:39] So, it actually came about when we were doing research for a blog that we published previous to this. We were looking at other KONNI activity, which is a different malware family that is believed to be used by the group.

Dave Bittner: [00:01:51] That's Jen Miller-Osborn. She's Deputy Director of Threat Intelligence at Palo Alto Networks Unit 42.

Jen Miller-Osborn: [00:01:58] And while the researchers were looking at that, they came across what looked to be a related, pretty similar malware, but one that hadn't been written up or published anywhere that we had seen. And we decided to call it NOKKI, which was just basically reversing the N's and the I's because they were so similar. And that's what then led us into the other blog where we found the DOGCALL and the other new tool that was being used to deliver a DOGCALL.

Dave Bittner: [00:02:22] Take us through - what did you discover when you started digging into these?

Jen Miller-Osborn: [00:02:26] So, we initially discovered quite a bit of code overlap between KONNI and the new NOKKI, and a lot of TPPs also overlapped what was typically seen with the Reaper group. And then when we found the newer malware family, we still found some overlap. We did not find quite as much as we did between NOKKI and KONNI, which is why the title of the second piece was "Almost Ties the Knot," because we couldn't find enough data points to officially say that this is all Reaper. There is the possibility that there's another group that's operating in the region, or that looks similar, that's also potentially using some of these tools.

Jen Miller-Osborn: [00:03:06] So there is still some ambiguity on our side, and we've been trying to talk with some other researchers following this to see if we can nail that down a little bit better, for if it's all one group, or maybe more than one group, but some of the TPPs and maybe some of the tools are similar - that's something that we're still looking at.

Dave Bittner: [00:03:21] And who is the Reaper group generally believed to be?

Jen Miller-Osborn: [00:03:24] So, other organizations have reported on Reaper and they typically attribute it to North Korea.

Dave Bittner: [00:03:31] I see. So, take us through what goes on here. What does this RAT attempt to do? Why don't we start with NOKKI?

Jen Miller-Osborn: [00:03:38] NOKKI was used with some spear-phishing that we saw, that were delivering lures that were typically politically-motivated themes, usually centering around targets for Russian or Cambodian-speaking individuals or organizations. And that was the typical spear-phishing that you see, that people talk about all the time. There was nothing super-advanced about what they did. It was kind of typical spear-phishing with malware that's intended to trick people into installing the malware on their system. And then once it's there it starts to try to do - trying to figure out where it is within the network, and kind of what sorts of data they might be able to exfil, or where they might be able to access within the network.

Jen Miller-Osborn: [00:04:18] It's kind of a typical, sort of first-stage beachhead that you'll see with a lot of attacks for an initial malware foothold to then move on to work on the final objective, whether that's espionage-related, or maybe just kind of waiting and collecting data. We don't have final visibility into what they were doing. What we do have - and the theming of the words makes it seem like this is probably espionage-related - there was no real indication that this was primarily finance-motivated.

Dave Bittner: [00:04:47] I see. So, let's move on to DOGCALL and describe what's going on there, and then the similarities between that and NOKKI.

Jen Miller-Osborn: [00:04:54] So, DOGCALL is one that's been previously reported on and tied with Reaper, as far as we know, and we've seen it in other blogs as well. So, the interesting part we found here, was we also found a previously unreported malware family while we were researching this, which was being used to actually deploy DOGCALL. It was more of - not quite, a little more fully-featured than a dropper, but kind of similar to that. The name is based on a string in the malware, so it's not particularly reading-friendly. It's roughly Final1stspy, is kind of what it looks like.

Dave Bittner: [00:05:31] Hmm.

Jen Miller-Osborn: [00:05:31] So, we found these in a cluster - when we found all of this when we were researching it, it was in a a cluster using NOKKI. There were some attacks that took place in early July, and they used malicious macros - which is something that a number of groups have gone back to exploiting. This used to be really popular several years ago, and just, mostly this year, we're seeing a lot of other groups - both criminal and espionage-related - that are getting back into using malicious macros.

Jen Miller-Osborn: [00:05:58] And what has to happen there is the user has to actually click on a button to allow the payload to run. An arrow will come up saying that, you know, you need to enable macros in your Word decoy, or within the Excel, and the user has to actually click that button "enable" to get the malware to run. Unfortunately, a lot of the lures are crafted in such a way that they look legitimate. So, people do, even though it seems kind of out of character in this day and age for people to still go and take that extra step, it's relatively common that they will.

Jen Miller-Osborn: [00:06:29] And then once they're there, they're kind of off to the races. Now the malware is installed on the system, the actors can start moving towards their final objective.

Dave Bittner: [00:06:36] Now, there were some specific lures that you found within these here - one of them was from ESPN?

Jen Miller-Osborn: [00:06:43] There were two in here. One was on the World Cup - a World Cup predictions kind of file. There was one that was relatively simple - it just contained the phrase "I miss u," with simply the "U." And there was another one that was also one they had taken from online, similar to the World Cup that was discussing a visit by the North Korean leader to Singapore.

Dave Bittner: [00:07:04] I see.

Jen Miller-Osborn: [00:07:04] Yes, and the World Cup article - sorry - was found, that was taken from ESPN.

Dave Bittner: [00:07:09] I see. So, once the execution of the malware begins, what happens next? I guess what I'm getting at is, when the World Cup doc runs, it downloads the VBS script file?

Jen Miller-Osborn: [00:07:21] Yes. So, they will then download - once it's executed and the macro has been enabled - it will download a VBS script file, and that contains the same deobfuscation routine that we had seen previously with DOGCALL. And the file that it writes will end up being used by the new malware family that we discovered, that's then being used to download the final DOGCALL. Sorry, last - it's basically the first stage on the system, but it's the malware that's being installed.

Dave Bittner: [00:07:52] I see.

Jen Miller-Osborn: [00:07:52] This final file.

Dave Bittner: [00:07:54] So, this new malware that you've discovered - this is the Final1stspy? Is that what we're discussing?

Jen Miller-Osborn: [00:08:00] Yes. This is the stspy. It's in an odd space, because DOGCALL is the malware that's finally dropped onto the system, and what the Final1stspy is doing - it's essentially the dropper in the middle. So, when a user opens the doc, it runs the macro. Then there's a VBS script call that goes out looking for this, this dropper, the Final1stspy malware, which is something that hadn't been seen before. We'd missed the - or we hadn't seen this dropper being used in the middle between the malicious macro, and then finally delivering DOGCALL at the end.

Dave Bittner: [00:08:33] I see.

Jen Miller-Osborn: [00:08:33] So this just ends up being - it's a little more fully-featured than some droppers, although we're seeing that more and more, where there's more droppers that can do some basic recon on a system to kind of get the idea of where they might be within the network. But the final goal of this is to then - it still needs to bring down more fully-featured malware, that's actually capable of executing a lot more commands and things that the actors would like to do. So that's why it then brings down DOGCALL. DOGCALL's actually a more fully-featured Trojan that can do a lot more actions than the dropper can.

Dave Bittner: [00:09:05] And there are some specific circumstances that it looks for before it downloads DOGCALL? Is that correct?

Jen Miller-Osborn: [00:09:11] Yes. So, not only is there a specific routine to obfuscate strings, which is one of the ways we're able to characterize this particular dropper, it looks for a particular file within Windows on the target - a particular DLL - and if that is present, then the malware will load other DLLs, and it's going to try to look for and to call a specific function. If, for whatever reason, the initial DLL that it's looking for is not there, then it will default to looking for a secondary DLL. Basically, it's looking for the difference between a 32 or 64-bit Windows operating system, and depending on which one it finds, then depends on how it will continue to execute. Because how it's going to infect either one will vary slightly, depending on whether it's a 64 or 32-bit.

Dave Bittner: [00:09:59] I see. So take me through - what are some of the capabilities of DOGCALL?

Jen Miller-Osborn: [00:10:04] So, when DOGCALL is on the system, it has a number of functionalities or actions that can do. It can take screenshots. It can do key logging. It can also record microphone data, collect the victim information from the system. It can collect files of interest. It can also download and execute additional payloads. It primarily uses third-party hosting for C2s - primarily things centered around cloud services, such as Dropbox, pCloud, Yandex Cloud, as well as Box itself.

Dave Bittner: [00:10:38] Now, do you have any sense in terms of who they're trying to target with this? Is there any indications on that?

Jen Miller-Osborn: [00:10:44] The targets seem to be in line with what you would expect from any companies located within the kind of AMEA region. A lot of the targets tend to center around the military and defense industries within Korea, different Middle Eastern organizations that are doing business with either North or South Korea, in some cases. So that's - the targeting, for the most part, has been kept to that sort of companies involved in that region, whether for business or government purposes.

Dave Bittner: [00:11:13] Now, in terms of being detected by antivirus and so forth, where do we stand with that?

Jen Miller-Osborn: [00:11:20] It varies based on the variant the actors have. They do make efforts to keep this with lower AV detection, and that's actually something we see relatively often. It's much more similar for an actor to change a couple of things within a weaponized Word documents, say, to lower its detections, versus actually coming up with a new family, or coming with an entire new variant to a family.

Jen Miller-Osborn: [00:11:45] So, quite often we'll see some smaller changes made to the decoys themselves versus newer variants, although, between the recent research we've done, we've definitely shown that whoever is behind these attacks - whether it's one group, whether it's more than one group, maybe, whether perhaps even there is a tool dev that maybe shares things among different groups - that they do, they are actively still working to increase the effectiveness of the tools and also how many tools they have.

Jen Miller-Osborn: [00:12:12] We'd found a secondary malware family between the one blog, and then we found a new dropper that hadn't been seen before, and we found some interesting code obfuscation overlaps between all of them. So, the group is definitely working to improve their success rates - not just by having good lures and decoys that actually look like something their targets would probably be interested in, and want to read, and want to open - they're putting the time in as well to improve their tools, so that once they're actually in an environment, they can try to accomplish their objectives.

Jen Miller-Osborn: [00:12:44] With all of these tools, it can be somewhat fuzzy, and it's still a bit unclear to us how they all relate together from a wider "who is behind all of them" perspective. So to be careful, for people that are looking at this, to not just lump them all into being one group. We noted there were ties with Reaper. However, they aren't strong enough that we would say, definitively, all of these things are one-to-one just to Reaper.

Jen Miller-Osborn: [00:13:10] So, just for people that are interested in that, to keep that in mind. And also that, if there's anyone that might have other data on this that would like to collaborate with the team, we're always more than happy to talk to other researchers

Dave Bittner: [00:13:24] Our thanks to Jen Miller-Osborn from Palo Alto Networks Unit 42 for joining us. The research is titled, "NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT." We'll have a link in the show notes.

Dave Bittner: [00:13:41] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:13:50] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:13:58] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.