From 2402c7d98f0ab23f065ae00d3d34ab6610e9a3e9 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 29 Sep 2018 09:01:47 +0200
Subject: [PATCH] chg: [tool] NOKKI added

ref: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 7493a83..d64d18b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -4209,6 +4209,16 @@
       "uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd",
       "value": "KONNI"
     },
+    {
+      "value": "NOKKI",
+      "uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80",
+      "description": "Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.  Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with a group known as Reaper.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/"
+        ]
+      }
+    },
     {
       "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.",
       "meta": {
@@ -5821,5 +5831,5 @@
       "uuid": "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/"
     }
   ],
-  "version": 88
+  "version": 89
 }