A US government agency was affected by a new malware called CARROTBALL which is used as a second-stage payload in targeted attacks. It was distributed through phishing email attachments delivered to the US government agency and individuals of non-US foreign nationals professionally affiliated with ongoing activities in North Korea.
CARROTBALL came from a Russian email in a Microsoft Word document having the topic geopolitical relations issues regarding North Korea.
Researchers at Palo Alto Networks’ Unit 42 analyzed the campaign between July and October 2019 and found multiple malware families that are normally attributed to a threat group called as KONNI.
This campaign called by the researchers as Fractured Statue, used six unique document lures sent from four unique Russian email addresses.
All files contained malware which downloaded and installed SYSCON which is a full-featured remote access trojan (RAT) that depends on the File Transfer Protocol (FTP) to communicate with the command and control server.
Only one of the documents had CARROTBALL, while all the others delivered the CARROTBAT dropper, first discovered in a December 2017 attack against a British government agency.
A research published by the Unit 42 states that by using a new downloader family, KONNI shows an evolution of its tactics, techniques, and procedures.
The Fractured Statue campaign ran in three waves, CARROTBALL being used in the last one, in an email with the subject “The investment climate of North Korea,” sent from the address “[email protected][.]ru.”
The sender added multiple recipients to their email.
Save for the document carrying CARROTBALL, all the others had the same macro code, which checked the architecture of the Windows machine, executed a command hidden in a textbox in the document, and then cleared the textboxes and saved the file.
In the last wave a different macro was observed. It did not take commands from the document but relied on an embedded Windows binary “in the form of hex bytes delimited via the ‘|’ character that ultimately acted as a dropper.”
When the macro executed, the hex bytes would be split and converted to binary before being dropped on the disk.
KONNI is a name used for a RAT seen in targeted campaigns that aligned with North Korean interests, the malware was missing from more recent activity with overlapping TTPs.