A malware downloader named Carrotball emerged in a malicious email campaign; source could be linked to the Konni Group APT

Several strains of malware struck a US government agency through spear phishing emails. The attack campaign, “Fractured Statue,” went on from July to October and used six different malicious document attachments. They came from four separate Russian email addresses, going out to 10 targets. The articles were written in Russian and were about geopolitical relations involving North Korea.

Perhaps most noteworthy, researchers noticed the use of a malware downloader named Carrotball. Carrotball may be replacing its predecessor, Carrotbat, which was commonly seen as a delivery infection mechanism.

Malware Delivery Mechanism

The phishing emails went out in three stages: the first going out July 15-17, the second August 15-September 14 and the last October 29. They had different subject lines pertaining to North Korea, a ploy to entice users to open the emails.

One subject was “On the situation on the Korean Peninsula and the prospects for dialogue between the USA and the PDR.” The email attachments contained macros. When users downloaded and opened attachments, multiple malware families broke out and infected the victims.

The Carrotbat malware downloader was first discovered in December 2017, gaining a lot of attention in 2018 when it targeted a British government agency. Then and now, Carrotbat dropped SysCon, a remote access Trojan (RAT) that uses FTP for network communications.

Carrotball, the newer malware downloader, was in one of the malicious documents. It shares some traits with Carrotbat, including installing the SysCon RAT. SysCon was embedded in an infected Word document and emailed to a US agency and two foreign nationals affiliated with North Korea.

The Responsible Party – North Korea’s APT Konni Group 

The research group Unit 42 believes “with moderate confidence” that the Konni Group is responsible. Konni was discovered in 2014 and is most known for two malware families – Nokki and Carrotball – used in cyberattacks in 2018.

“Konni” refers to malware used previously that was linked to North Korea. But as subsequent malware campaigns continued with overlapping TTPs – tactics, techniques and procedures — they did not feature the Konni RAT. Researchers then began applying the Konni name to the bad actors themselves rather than the malware.

Given its previous associations, Carrotball’s presence in the attack campaign signifies a link to Konni.

Further resources:

Demo: Multi-Level Protection Against Ransomware

Healthcare Orgs Suffering High Ratio & Rising Threats from Ransomware, Phishing Attacks

Oregon DHS hit by massive phishing attack, 645K accounts compromised

The Year of Rising Ransomware, Ryuk Wields its Own Unique Nastiness

MegaCortex Ransomware Worsens — Hackers Change Users’ Passwords & Make Blackmail Demands

MegaCortex Malware Strikes Business Networks, Does Damage Both as Ransomware and Disk Wiper