A US Government agency was hit with a phishing attack attempting to deliver a new malware dropper dubbed CARROTBALL.

Security experts at Palo Alto Networks have uncovered a new malware dropper called CARROTBALL that was used in targeted attacks against a U.S. government agency and non-US foreign nationals.

Experts attribute the attack to the Konni Group, a North Korea-linked nation-state actor.

The attackers use a weaponized Microsoft Word document as a lure for the target, the phishing messages were sent from a Russian email address.

“Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see Attribution section below for more details) used to primarily target a US government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.” reads the analysis published by Palo Alto Networks’s Unit42. “The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.”

This campaign, which the researchers call Fractured Statue, used six unique document lures sent from four unique Russian email addresses.

The subject of the emails featured articles written in Russian pertaining to ongoing geopolitical relations issues surrounding North Korea. Five documents involved in the campaign contained CARROTBAT downloaders , and one contained a CARROTBALL downloader. Both downloaders were used to deliver the second-stage SYSCON malware.

Experts pointed out that the campaign appears as a resemblance to the Fractured Block campaign first uncovered by Unit 42 in November 2018, for this reason, the experts tracked this campaign as Fractured Statue.

Experts identified three different phases of the Fractured Statue campaign and CARROTBALL downloader was used only in the last one that sees the involvement of email messages with the subject “The investment climate of North Korea,” sent from the address “pryakhin20l0@mail[.]ru.”

“Also interesting to note is that the sender added multiple recipients to their email; one was an individual at a US government agency, and the other two individuals were non-US foreign nationals professionally affiliated with ongoing activities in North Korea” continues the analysis of the report.

Experts noticed that all of the malicious documents used in the campaign used the same macro that allowed attackers to determine the target Windows architecture, execute a command that was hidden in a textbox included in the document and then clear the contents of the textboxes and save the document.

In the last wave of the campaign, attackers used a different macro that doesn’t execute commands hidden in the document, instead it relied on an embedded Windows binary.

“The October 2019 attack, however, differed significantly from the previous ones. Instead of reading from the contents of the document itself, the macros leveraged an embedded Windows executable in the form of hex bytes delimited via the ‘|’ character that ultimately acted as a dropper.” continues the analysis. “When the macro was executed, the hex bytes were split, converted to binary, and dropped onto disk as an executable.”

When the macro executed, the hex bytes would be split and converted to binary, then the downloader dubbed CARROTBALL is dropped on the disk.

The name “Konni” identifies a Remote Access Trojan used in targeted campaigns carried out by North Korea-linked APT groups. Experts pointed out that as additional campaigns showing strongly overlapping TTPs yet did not feature the Konni RAT, some experts started using the “Konni” moniker to refer to the actors behind the aggregated set of activity

“Overall, the Fractured Statue campaign provides clear evidence that the TTPS discovered in Fractured Block are still relevant, and that the group behind the attacks still appears to be active.” concludes the report. “Additionally, development and use of the new downloader, CARROTBALL, alongside the more commonly observed malware delivery mechanism, CARROTBAT, may indicate that the previous methods employed by the group to successfully infect their targets are becoming less effective.”

Additional technical details are included in the report published by the Unit42.

Pierluigi Paganini