Categories: Ad Guardian PlusNews

Carrotball attacks U.S. Agency

Carrotball – a malware downloader, harboured in spear phishing emails targeted a U.S. government agency. Researchers consider that the emails came from the Konni Group APT. The campaign, called “Fractured Statue”, involved six unique malicious document lures, as attachments. These came from four different Russian email addresses. Also, the subject of the lures featured articles written in Russian related to the geopolitical problems regarding North Korea.

Adrian McCabe, with Palo Alto Networks’ Unit 42 research group, said that this is a proof that the tactics, techniques and procedures (TTPs) discovered in Fractured Block are still relevant. Also, this proves that the group is still active. “Additionally, development and use of the new downloader, Carrotball, alongside the more commonly observed malware delivery mechanism, Carrotbat, may indicate that the previous methods employed by the group to successfully infect their targets are becoming less effective,” he mentioned.

How it worked

The emails, which came in three waves, were sent from various email addresses and used varying subjects. They leveraged the geopolitical relations issues surrounding North Korea to lure targets into opening the malicious attachments. The subject of one of the was: “On the situation on the Korean Peninsula and the prospects for dialogue between the USA and the PDR.”

The emails contained files with Russian names and with malicious macro documents attached. The documents were rather generic. Also, there were no embedded image lures to enable macros.

Once downloaded, the malicious attachments attempted to infect victims with malware. This consisted of malicious documents featuring Carrotbat downloaders with SysCon payloads. In 2018, spear-phishing emails targeting a British government agency used Carrotbat, a customized dropper. This droped SysCon – a simple remote access trojan (RAT). This uses the file transfer protocol (FTP) for network communications.

Carrotball

One of the malicious documents also included the new malware downloader, dubbed Carrotball. Similar to the Carrotbat downloader, its purpose was to to facilitate the download and installation of the SysCon backdoor.

It is a simple FTP downloader utility which facilitates the installation of SysCon, a full-featured remote access trojan (RAT) which leverages FTP for command and control (C2),” said researchers. They found it embedded in a malicious Word document. Thus, they discovered that a US government agency and two non-U.S. foreign nationals professionally affiliated with North Korea received it as a phishing lure.

The downloader and the Konni Group

Researchers assess “with moderate confidence” that the activity is related to the Konni Group. Konni, which appeared in 2014, used two malware families – the NOKKI malware and Carrotball, for 2018 campaigns.

Originally, “Konni” was the name of the malware in the previous campaigns, with strong links to North Korean interests. But additional campaigns appeared with strongly overlapping TTPs but did not feature the Konni RAT. So, researchers started using “Konni” to refer to the threat actor instead of the malware. Thus, use of Carrotball is one indication linking the campaign to the threat group.

Other clues include targeting organizations who have interest in or are directly links to North Korea. Also, using malicious document phishing lures containing subject matter pertaining to North Korea.

However, researchers warn that “There are non-trivial obstacles to obtaining a high-confidence attribution to the Konni Group, namely the fact that previous blogs produced by Unit 42 and other researchers contain a great deal of technical detail about the group’s operations, and copycat actors may attempt to emulate previously observed TTPs to hinder attribution efforts or perform false-flag operations”.

Laurentiu Titei

Recent Posts

Best Discord Alternatives and Similar Software to Use

If you are searching for the best Discord alternatives, you can follow this guide to…

22 hours ago

Best Y2mate Online Alternatives for Downloading YouTube Videos

The demand for video-downloading applications and websites has increased significantly over the years. And these…

1 day ago

Packard Bell Drivers Download & Updates in Windows 11/10

Have you newly purchased a Packard Bell laptop? Then, it is inevitable that you download…

2 days ago

How to Fix 0x80070035 Network Path Not Found Windows 11

Error 0x80070035, “Network path was not found,” is a common issue that occurs when attempting…

3 days ago

How to Move Valorant to Another Drive

Are you experiencing lower PC performance, slow Valorant loading, and sluggish response? Do you want…

3 days ago

Best Reliable IP and Network Scanner Tools to Use in 2025

Do you wish to gain visibility and control over your network? Then, you need the…

4 days ago