US Government Agency Spear Phished With New CARROTBALL Malware



angler_phishing-1According to new research posted by Palo Alto Networks' Unit 42, a US Government agency and two non-US foreign nationals professionally affiliated with North Korea were targeted by spear phishing using a new malware payload they named “CARROTBALL” .

The spear phishing emails targeted 10 unique recipients and came from four unique Russian email addresses. The attack came in three waves using different subject lines as bait. A total of six different malicious word documents with macros initiating the dropper and payload were used.

"Of those malicious documents, five contained CARROTBAT downloaders, and one contained a CARROTBALL downloader. All malicious second stage payloads were SYSCON. ”According to the researchers, “CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2).”

The spear phishing emails were designed to capture the curiosity of its recipients. The campaigns used Russian language subject lines with attached Microsoft Word documents featuring "lure articles" written in Russian. They were also deployed to take advantage of what Unit 42 described as “ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.”     

Examples of one subject line written in Russian but translated to English: 

"On the situation on the Korean Peninsula and the prospects for dialogue between the USA and the PDR"

It seems the bad guys are not only using social engineering technique, but are also utilizing top notch marketing practices. It's possible they sent out three waves (a campaign) with different subject lines and content lures to determine which combination worked best to guarantee at least one out of the recipient targets took the bait and clicked through to open the malicious document after disabling any existing macro protection resulting in a compromise. The article doesn't say if they were successful.  All the more reason to inoculate your users with New School Security Awareness training. 

This campaign was named Fractured Statue. Unit 42 observed this group between July and October 2019 and had tracked a similar predecessor campaign it discovered in November of 2018 and which they named "Fractured Block”.

Attribution

Unit 42’s research said the new RAT appeared to belong to the KONNI family which was previously associated with North Korean interests.  This attack had a strong resemblance to TTPs (tactics, techniques and procedures)  previously seen by Unit 42 when the group identified "Fractured Block" in November of 2018 . However, those campaigns did not use the newly found downloaders and advance macro word code. Since published details of the groups activities may have spawned copycats or false flags they tend to classify this as  the“Konni” group.  

Read the research on Fractured  Statue from Unit 42 here.

Read more about attribution here.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews