Threat Report NOKKI: What is Nokki Malware and How Does it Work?

Nokki is a modular remote access tool used to gather information and stage data on a victim's machine. It uses a custom de-obfuscation technique and can establish persistence by writing to the Registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Nokki has been observed attacking since January 2018 and has significant code overlap with the KONNI malware family. There is some evidence linking Nokki to APT37.

Nokki Malware Capabilities

The Nokki malware may use various methods to evade detection and collect information about victim systems, including adding programs to startup folders or referencing them in Registry run keys, collecting network configuration and settings information, hooking into Windows API functions, and using application layer protocols to transfer files. Additionally, Nokki may delete files left behind by their intrusion activity, and may obfuscate their files or information to make them difficult to discover or analyze.

• Nokki may use various methods to gain persistence or collect information, such as adding programs to startup folders or referencing them in Registry run keys, looking for network configuration details, or hooking into Windows API functions.
• Nokki may use application layer protocols to communicate with remote systems in order to avoid detection. They may also gather system time and/or time zone information from a local or remote system. Additionally, Nokki may use obfuscated files or information to hide artifacts of an intrusion from analysis.
• Nokki may attempt to evade detection and analysis by deleting files, encrypting or obfuscating data, and using names or locations that mimic trusted programs or resources. This behavior may occur during or after an intrusion.
• Nokki may use various methods to collect information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This information may be used to determine follow-on behaviors, such as whether or not to fully infect the target and/or attempt specific actions. Nokki may abuse rundll32.exe to proxy execution of malicious code. 

Ways to Mitigate Nokki Malware Attacks Capabilities

• The Nokki can be mitigated by monitoring the registry and start folder for changes, and by using tools like Sysinternals Autoruns to detect system changes that could be attempts at persistence. Nokkis can also be mitigated by system and network discovery techniques, and by monitoring for calls to the SetWindowsHookEx and SetWinEventHook functions.
• The Nokki malware can be mitigated by analyzing network data for unusual data flows, command-line interface monitoring, and detecting attempts to deobfuscate or decode files. However, it may be difficult to detect the actual malware, so process and command-line monitoring is necessary to detect potentially malicious behavior.
• The Nokki can be mitigated by collecting file hashes and monitoring for unusual file activity. It may also be possible to detect the malicious activity that caused the obfuscated file.
• The Nokki malware can be mitigated by monitoring for file creation and transfer, analyzing network data, and system and network discovery techniques.
• The Nokki can be mitigated by using system and network discovery techniques to learn the environment, and by monitoring process activity to identify suspicious activity.