The message gz attachment contains an exe file: the malware itself. Stolen data is exfiltrated via FTP.
Palo Alto Networks Unit 42 discover the new malware Nokki, probably used by the Reaper North Korean hacker group
The Reaper hacker group, linked to North Korea, is probably using a new malware family, dubbed NOKKI, to conduct cyber attack targets in Eurasia and possibly Southeast Asia. It has been discovered by Palo Alto Networks Unit 42 cyber security experts. Moreover, the new malicious code has ties to a previously reported malware family named KONNI. It was used for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As now, it’s not certain if NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with Reaper Pyongyang hackers. The latest activity leveraging the malware payload likely “targets politically-motivated victims in Eurasia and possibly Southeast Asia,” is written in the company’s blog.
There are at least two variants of the malware. It targets Eurasia and possibly Southeast Asia servers. Especially in South Korea
The NOKKI cyber attacks “leverage compromised legitimate infrastructure for both delivery and command and control (C2),” Palo Alto Networks reports. “These compromised servers are largely located within South Korea. In total, we observed two waves of attacks spanning from early 2018 to at least July 2018 which we were able to cluster via the specific network protocol used for C2. In addition, the decoy documents themselves wer both created and last modified by an author named zeus.” Moreover, there are at least two distinct variants of NOKKI. The earlier one was used in cyber aggressions between January 2018 to May 2018 and made use of FTP for C2 communications. The second one witnessed since June 2018 made use of HTTP. While both variants used different network protocols for communication, they both used the same file path structure on the remote C2 server.”