Removal instructions for NokNok backdoor malware
Written by Tomas Meskauskas on (updated)
What kind of malware is NokNok?
NokNok is the name of a backdoor-type malware that targets macOS (Mac Operating Systems). Programs within this classification are designed to open a "backdoor" for additional malicious components into compromised systems.
NokNok has been used in cyber-espionage attacks targeting individuals and entities associated with US foreign affairs and nuclear security spheres. These attacks were prepped for both Windows and Mac users; the latter aimed to infect their devices with NokNok malware.
There is evidence linking these campaigns with threat actors who support the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Intelligence Organization.
NokNok malware overview
The observed NokNok-proliferating campaigns began with malicious attachments in spam emails. The deceptive mail included seemingly innocuous letters thematically relevant to the intended victims. These emails included password-protected ZIP archive attachments, which contained the malware and a set of instructions.
The archive file included a Mac app disguised as a "RUSI VPN" solution and share drive GUI (Graphical User Interface). When the malicious application was launched, it executed an Apple script file that downloaded NokNok.
If the infection is successful, the NokNok backdoor begins downloading its modules. One of them is designed to obtain a list of currently running processes. Another acquires a list of installed applications. The "Informations" module collects data relating to the system (e.g., macOS version, operation times, etc.), network, and installed apps. Yet another module ensures the malware's persistence and may be used to prep the system for further infection.
Since the goal of these campaigns is espionage, NokNok could be used to infiltrate sophisticated information stealers into compromised devices. Data-stealing malware can target specific details or a broad range of information. Stealers can extract data from systems and installed applications.
Theoretically, backdoor malware can infect machines with just about any type of malicious program (e.g., trojan, ransomware, etc.); however, it typically operates within certain limitations.
It must be mentioned that malware developers often improve upon their creations and tactics. It is not unlikely to be the case with NokNok, especially considering the highly targeted nature of these attacks.
To summarize, malware can cause multiple system infections, data loss, severe privacy issues, financial losses, and lead to identity theft. Attacks leveraged against particularly sensitive entities may carry significantly more devastating consequences.
| Name | NokNok malware |
| Threat Type | Mac malware, Mac virus, Backdoor |
| Detection Names | Avast (Other:Malware-gen [Trj]), Combo Cleaner (Heur.BZC.YAX.Boxter.151.12B21437), ESET-NOD32 (LNK/NukeSped.Y), Kaspersky (HEUR:Trojan.WinLNK.Agent.gen), Full List (VirusTotal) |
| Symptoms | Backdoor malware is designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
| Distribution methods | Infected email attachments, malicious online advertisements, social engineering, software 'cracks'. |
| Damage | Stolen passwords and banking information, identity theft, monetary losss, additional infections, and more. |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Backdoor malware examples
We have investigated thousands of malware samples; RShell, macOS.Macma, OceanLotus – are a few examples of backdoor programs targeting macOS, and ShadowVault, JokerSpy, Geacon, TrafficStealer – are just some of our newest articles on Mac-specific malware.
Malicious software can have a wide variety of capabilities, which can be in different combinations. However, regardless of how malware operates – its presence on a system endangers device integrity and user privacy as well as safety. Therefore, we strongly advise eliminating all threats immediately upon detection.
How did NokNok malware infiltrate my computer?
As previously mentioned, the known NokNok campaigns originated from malicious spam mail (screenshots below). It targeted persons and entities associated with the foreign affairs and nuclear security spheres of the United States. The cyber criminals spoofed the email accounts of well-known experts, thus creating an impression of legitimacy for the letters that related to Middle Eastern affairs and nuclear security.
The initial volley of email-spread malware was not compatible with Mac devices. Once that factor was determined, the victim was sent a different letter intended to infiltrate NokNok into their machines.
Some of the emails also included a link to a fake FTP (File Transfer Protocol) website. Additionally, the victim was provided log-in credentials for the bogus file-sharing service. However, once entered, the credentials were rejected, and the victim could be provided with further instructions. It is possible that the purpose of the fake site was to harvest visitor data.
The spam emails had password-protected ZIP files attached. Therein the recipient found instructions and the files triggering the first stage of the NokNok malware. The latter included a Mac application presented as a "RUSI VPN" solution and the GUI for a share drive. Once the app was launched, it executed an Apple script file to download NokNok.
It is pertinent to mention that this malware could be used to target other spheres and be distributed using different lures or techniques.
Phishing and social engineering are prevalent in malware proliferation. The most widely used distribution methods include: malicious attachments and links in spam mail (e.g., emails, PMs/DMs, SMSes, etc.), drive-by (stealthy/deceptive) downloads, online scams, malvertising, untrustworthy download sources (e.g., freeware and free file-hosting websites, P2P sharing networks, etc.), illegal program activation tools ("cracks"), and fake updates.
What is more, some malicious programs can self-proliferate via local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).
How to avoid installation of malware?
We strongly recommend approaching incoming emails and other messages with caution. Attachments or links found in suspect/irrelevant mail must not be opened, as they can be infectious.
Furthermore, all downloads must be performed from official and verified channels. We also advise activating and updating programs by using functions/tools provided by genuine developers, as those acquired from third-parties can contain malware.
Another recommendation is to be vigilant when browsing since fake and malicious online content usually appears legitimate and harmless.
We must emphasize the importance of having a reputable anti-virus installed and kept updated. Security software must be used to run regular system scans and to remove detected threats and issues. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate all threats.
Screenshot of emails proliferating NokNok backdoor (image source – Proofpoint);
First email:
Text presented in this letter:
Dear -
This is Prof. Karl Robers, a Senior Fellow and Deputy Director of Terrorism and Conflict at RUSI.
We are studying security issues and working on a project called "Iran in the Global Security Context" which evaluates the impact of the Abraham Accords on Iran's regional role and MENA security now. I've been making the rounds with a few experts about our new project. We've written a bit on this, and it would be, no question, our please to have you read it. I just need the green light to send it to you.
Emily Winterbotham, Dr. Antonio Giustozzi, and Dr. Jessica White are the main members of this project and we can give you a call to further explain our project.
To show our appreciation for your willingness to participate in this project, we would like to offer you an honorarium.
I was hoping you might be up for a chat too and Looking forward to hearing from you.
Best,
Karl
Second email:
Text presented in this letter:
Hi - This is Emily Winterbotham, a director of the Terrorism and Conflict at the RUSI Center. Yesterday I was talking about the project with Prof. Karl, who informed me that he sent you the completed parts of the project and how to access the shared folder, but unfortunately, he has not received any response from you yet.
We are very interested to benefit from your opinions and expertise in our project.
Looking forward to hearing from you.
Best
Emily
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "NokNok"?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
My computer is infected with NokNok malware, should I format my storage device to get rid of it?
In most cases, the removal of malicious programs does not necessitate formatting.
What are the biggest issues that NokNok malware can cause?
The threats posed by an infection depend on the malware's capabilities and the cyber criminals' modus operandi. NokNok is a backdoor – a type of malware designed to cause chain infections. It has been observed being used by threat actors for cyber-espionage, with targets including individuals and entities related to the US foreign affairs and nuclear security sectors. There is evidence suggesting that the group behind these attacks is supporting the Intelligence Organization of the Islamic Revolutionary Guard Corps (IRGC).
While most malware infections can lead to data loss, severe privacy issues, financial losses, and identity theft – attacks leveraged against highly sensitive targets carry significantly more devastating dangers.
What is the purpose of NokNok malware?
Most malware infections are motivated by financial gain. However, as indicated by the previous answer, NokNok has been used in politically/geopolitically motivated attacks.
How did NokNok malware infiltrate my computer?
NokNok has been observed being spread via targeted spam mail. However, this malware could be distributed using other lures or tactics.
Generally, malicious software is proliferated through spam emails/messages, online scams, drive-by downloads, malvertising, dubious download channels (e.g., unofficial and free file-hosting websites, Peer-to-Peer sharing networks, etc.), illegal software activation tools ("cracks"), fake updaters, and so on. Some malicious programs can even self-spread through local networks and removable storage devices.
Will Combo Cleaner protect me from malware?
Yes, Combo Cleaner is capable of detecting and eliminating most of the known malware infections. It must be stressed that performing a complete system scan is essential – since sophisticated malicious software tends to hide deep within systems.
Outstanding!
▼ Show Discussion