Threat Research

New Nokoyawa Ransomware Possibly Related to Hive

Securonix

Trend Micro researchers present evidence that Nokoyawa ransomware is likely connected to Hive, sharing parts of the attack chain, tools, and even infrastructure, with most Nokoyawa targets in Argentina. The analysis also highlights similarities and key differences in tooling, compiler choices, and encryption, and provides defender recommendations to mitigate such threats. #Nokoyawa #Hive #CobaltStrike #GMER #PCHunter #Mimikatz #Z0Miner #Boxter #Argentina

Keypoints

  • Nokoyawa is likely connected to Hive due to similarities in attack chain and shared infrastructure.
  • Both families exhibit arrival-phase use of Cobalt Strike and defense-evasion/info-gathering tools such as GMER and PC Hunter.
  • Nokoyawa reportedly leverages additional tools (Mimikatz, Z0Miner, Boxter) similar to Hive’s toolset (NirSoft, MalXMR miner).
  • Evidence from one Nokoyawa IP address suggests shared infrastructure with Hive.
  • Delivery methods are suspected to be phishing-based, though not definitively confirmed for Nokoyawa.
  • Significant differences exist: Hive typically packs with UPX and uses GoLang; Nokoyawa samples are un-packed and compiled differently, with distinct encryption approaches.

MITRE Techniques

  • [T1566] Phishing – “phishing emails for arrival.” – Initial access via phishing emails likely used to install the ransomware. [‘phishing emails for arrival’]
  • [T1021] Remote Services – “PsExec (lateral deployment of Ransomware)” – Lateral movement using PsExec to deploy ransomware. [‘PsExec (lateral deployment of Ransomware)’]
  • [T1059.001] PowerShell – “PowerShell Scripts (info gathering)” – Information gathering via PowerShell-based commands. [‘PowerShell Scripts (info gathering)’]
  • [T1014] Rootkit – “GMER (defense evasion)” – Defense-evasion using anti-rootkit tools. [‘GMER (defense evasion)’]
  • [T1003.001] Credential Dumping – “Mimikatz, Z0Miner, and Boxter” – Credential access via credential dumping tools. [‘Mimikatz, Z0Miner, and Boxter’]
  • [T1496] Resource Hijacking – “Z0Miner” – Use of a mining tool to consume victim resources. [‘Z0Miner’]

Indicators of Compromise

  • [URL] Cobalt Strike download – hxxp://185.150.117[.]186:80/asdfgsdhsdfgsdfg
  • [SHA256] Detected malware hashes – a70729b3241154d81f2fff506e5434be0a0c381354a84317958327970a125507, e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4
  • [FileName] Ransom payload filename – xxx.exe

Read more: https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html