According to new research posted by Palo Alto Networks' Unit 42, a US Government agency and two non-US foreign nationals professionally affiliated with North Korea were targeted by spear phishing using a new malware payload they named “CARROTBALL” .
The spear phishing emails targeted 10 unique recipients and came from four unique Russian email addresses. The attack came in three waves using different subject lines as bait. A total of six different malicious word documents with macros initiating the dropper and payload were used.
"Of those malicious documents, five contained CARROTBAT downloaders, and one contained a CARROTBALL downloader. All malicious second stage payloads were SYSCON. ”According to the researchers, “CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2).”
The spear phishing emails were designed to capture the curiosity of its recipients. The campaigns used Russian language subject lines with attached Microsoft Word documents featuring "lure articles" written in Russian. They were also deployed to take advantage of what Unit 42 described as “ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.”
Examples of one subject line written in Russian but translated to English:
"On the situation on the Korean Peninsula and the prospects for dialogue between the USA and the PDR"
It seems the bad guys are not only using social engineering technique, but are also utilizing top notch marketing practices. It's possible they sent out three waves (a campaign) with different subject lines and content lures to determine which combination worked best to guarantee at least one out of the recipient targets took the bait and clicked through to open the malicious document after disabling any existing macro protection resulting in a compromise. The article doesn't say if they were successful. All the more reason to inoculate your users with New School Security Awareness training.
This campaign was named Fractured Statue. Unit 42 observed this group between July and October 2019 and had tracked a similar predecessor campaign it discovered in November of 2018 and which they named "Fractured Block”.
Attribution
Unit 42’s research said the new RAT appeared to belong to the KONNI family which was previously associated with North Korean interests. This attack had a strong resemblance to TTPs (tactics, techniques and procedures) previously seen by Unit 42 when the group identified "Fractured Block" in November of 2018 . However, those campaigns did not use the newly found downloaders and advance macro word code. Since published details of the groups activities may have spawned copycats or false flags they tend to classify this as the“Konni” group.
Here's how it works:
