Carrotball – a malware downloader, harboured in spear phishing emails targeted a U.S. government agency. Researchers consider that the emails came from the Konni Group APT. The campaign, called “Fractured Statue”, involved six unique malicious document lures, as attachments. These came from four different Russian email addresses. Also, the subject of the lures featured articles written in Russian related to the geopolitical problems regarding North Korea.
Adrian McCabe, with Palo Alto Networks’ Unit 42 research group, said that this is a proof that the tactics, techniques and procedures (TTPs) discovered in Fractured Block are still relevant. Also, this proves that the group is still active. “Additionally, development and use of the new downloader, Carrotball, alongside the more commonly observed malware delivery mechanism, Carrotbat, may indicate that the previous methods employed by the group to successfully infect their targets are becoming less effective,” he mentioned.
How it worked
The emails, which came in three waves, were sent from various email addresses and used varying subjects. They leveraged the geopolitical relations issues surrounding North Korea to lure targets into opening the malicious attachments. The subject of one of the was: “On the situation on the Korean Peninsula and the prospects for dialogue between the USA and the PDR.”
The emails contained files with Russian names and with malicious macro documents attached. The documents were rather generic. Also, there were no embedded image lures to enable macros.
Once downloaded, the malicious attachments attempted to infect victims with malware. This consisted of malicious documents featuring Carrotbat downloaders with SysCon payloads. In 2018, spear-phishing emails targeting a British government agency used Carrotbat, a customized dropper. This droped SysCon – a simple remote access trojan (RAT). This uses the file transfer protocol (FTP) for network communications.
One of the malicious documents also included the new malware downloader, dubbed Carrotball. Similar to the Carrotbat downloader, its purpose was to to facilitate the download and installation of the SysCon backdoor.
“It is a simple FTP downloader utility which facilitates the installation of SysCon, a full-featured remote access trojan (RAT) which leverages FTP for command and control (C2),” said researchers. They found it embedded in a malicious Word document. Thus, they discovered that a US government agency and two non-U.S. foreign nationals professionally affiliated with North Korea received it as a phishing lure.
The downloader and the Konni Group
Researchers assess “with moderate confidence” that the activity is related to the Konni Group. Konni, which appeared in 2014, used two malware families – the NOKKI malware and Carrotball, for 2018 campaigns.
Originally, “Konni” was the name of the malware in the previous campaigns, with strong links to North Korean interests. But additional campaigns appeared with strongly overlapping TTPs but did not feature the Konni RAT. So, researchers started using “Konni” to refer to the threat actor instead of the malware. Thus, use of Carrotball is one indication linking the campaign to the threat group.
Other clues include targeting organizations who have interest in or are directly links to North Korea. Also, using malicious document phishing lures containing subject matter pertaining to North Korea.
However, researchers warn that “There are non-trivial obstacles to obtaining a high-confidence attribution to the Konni Group, namely the fact that previous blogs produced by Unit 42 and other researchers contain a great deal of technical detail about the group’s operations, and copycat actors may attempt to emulate previously observed TTPs to hinder attribution efforts or perform false-flag operations”.