NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[1][2]

ID: S0353
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1074Data StagedNOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationNOKKI uses a unique, custom de-obfuscation technique.[1]
EnterpriseT1107File DeletionNOKKI can delete files to cover tracks.[1]
EnterpriseT1179HookingNOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.[1]
EnterpriseT1036MasqueradingNOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[1]
EnterpriseT1027Obfuscated Files or InformationNOKKI uses Base64 encoding for strings.[1]
EnterpriseT1060Registry Run Keys / Startup FolderNOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[1]
EnterpriseT1105Remote File CopyNOKKI has downloaded a remote module for execution.[1]
EnterpriseT1085Rundll32NOKKI has used rundll32 for execution.[1]
EnterpriseT1071Standard Application Layer ProtocolNOKKI has used FTP and HTTP for C2 communications.[1]
EnterpriseT1082System Information DiscoveryNOKKI can gather information on drives and the operating system on the victim’s machine.[1]
EnterpriseT1016System Network Configuration DiscoveryNOKKI can gather information on the victim IP address.[1]
EnterpriseT1033System Owner/User DiscoveryNOKKI can collect the username from the victim’s machine.[1]
EnterpriseT1124System Time DiscoveryNOKKI can collect the current timestamp of the victim's machine.[1]