Phishing emails filled with never-before-seen malware targeting U.S government

A new malware dropper named CARROTBALL is using second-stage payloads to deliver six types of malware to U.S government agencies

Phishing email campaign targeting U.S governmentPalo Alto Networks Unit 42 researchers released a new report[1] on a malicious campaign involving CARROTBAT downloaders with SYSCON payloads and new malware that the team has named CARROTBALL.[2] Malware has been distributed via phishing emails to the U.S government agencies and foreign nationals which are believed to be associated with current events in North Korea. Topics of these emails had relations with geopolitical issues of the country, so targets would be more likely to open the documents. 

The campaign named Fractured Statue started back in the summer of 2019 and contained six unique malicious document attachments sent from four different Russian email addresses to 10 particular targets.[3] Also, the report stated that people behind the threat are supposedly known as the KONNI team. The criminals are not new to this, so these changes and the addition of the never-before-seen malware dropper indicates that previous techniques were less effective than criminals wanted:

Overall, the Fractured Statue campaign provides clear evidence that the TTPs [tactics, techniques and procedures] discovered in Fractured Block are still relevant, and that the group behind the attacks still appears to be active.

The spear-phishing campaign explained

This malware distributing campaign had three different waves that Unit 42 researchers discovered between July and October:

  • the first between July 15 and July 17;
  • the second between August 15 and September 14;
  • the third on October 29. 

All the emails used ongoing geopolitical relations surrounding North Korea in their subjects to lure particular targets into opening notifications and malicious attachments that can trigger malicious macros. One of the subject lines in the campaign stated:

On the situation on the Korean Peninsula and the prospects for dialogue between the USA and the PDR.

These emails had various files attached to notifications, mainly in document formats and names written in Russian. These attachments contained malicious macros and once such a document got downloaded and opened, attachments attempted to trick the person to enable macros, so the device can get infected.

All files contained SYSCON – remote access trojan that focuses on communication with the C&C server. One of the attachments had CARROTBALL payload and other ones delivered the CARROTBAT dropper.[4]

The never-before-seen CARROTBALL malware dropper

Similar to already known CARROTBAT downloader, this new malware that was discovered back in October has the purpose of serving the SYSCON backdoor trojan. This particular payload was embedded in the document involved in the third wave of the Fractured Statue campaign. Only that one delivered emails with “The investment climate of North Korea ” subject lines that got sent from [email protected] email address.[5]

KONNI group was previously seen in similar campaigns targetting people with North Korean interests, but CARROTBALL spreading criminals may copy operations to avoid definite attributions. However, Unit 42 researchers are confident to asses that these activities are related to the KONNI group known since 2014.