NokNok

Summary
A backdoor heavily reliant on shell scripting
Class
APT Trojan
Class Summary
Advanced Persistent Threat (APT) Trojans are a form of stealthy malware. They're designed to maintain their presence on your macOS system over extended periods, making detection challenging. These Trojans are often used in targeted attacks, typically by skilled adversaries such as nation-state actors or sophisticated cybercriminal groups. They can steal sensitive data or execute remote commands. If an APT Trojan is detected, it's crucial to consult with a security specialist. Considering the stealth and persistence of APT actors, you might need an overall security audit to ensure complete removal and secure any breached data.
Description

NokNok is an APT malware chain attributed to an Iranian threat actor, designed for reconnaissance and backdoor deployment on victim systems. The attackers employ targeted phishing emails that impersonate the Royal United Services Institute (RUSI), enticing victims to download a malicious VPN application bearing the RUSI name. Once installed, NokNok leverages bash scripts to establish backdoors and receive server commands, capable of either self-termination or executing additional modules. These modules collect data on running processes, system information, and installed applications, and can also ensure persistence. For secure data transmission, NokNok employs its own encryption, further obfuscated through base64 encoding and segmentation.

References
Example Hashes
  • 1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251da4
    VirusTotal
  • e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79
    VirusTotal