Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this research, an interesting tie was discovered to the threat actor group known as Reaper.
The Reaper group has been publicly attributed to North Korea by other security organizations, targeting organizations that align with the interests of this country. Such targeted organizations include the military and defense industry within South Korea, as well as a Middle Eastern organization that was doing business with North Korea. Part of this group’s modus operandi includes the use of a custom malware family called DOGCALL. DOGCALL is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept commands. At the time of publication, we observe this particular malware family in use by the Reaper threat actor group only.
This blog details the relationship found between the NOKKI and DOGCALL malware families, as well provides additional information about a previously unreported malware family used to deploy DOGCALL, which we have named Final1stspy based on a pdb string in the malware.
Read more here