Infecting Through Documents
Unit 42 from Palo Alto researched this campaign and found that it was carried in between July-October last year and contained a new malware dropper which was embedded in word documents and sent to people working for government agencies. The luring word documents are titled to be geopolitical relations issues regarding North Korea. These documents contained CARROTBAT malware droppers, a new CARROTBALL malware which is sent through six unique documents to ten government agencies/individuals from four unique Russian email addresses. All the docs contained malware that drops SysCon, a remote access trojan that depends on FTP to communicate with C2 server. This malware maker group, KONNI was in existence since 2014, but infamous for its attacks in 2018. The name KONNI has actually attributed toa specific RAT malware, but it was found missing in recent attacks due to overlapping TTPs. This led the researchers to define KONNI as the attacking group rather than their malware now. Researchers analysis revealed that this new malware has evoluted of its TTPs (Tactics, Techniques, and Procedures), but hasn’t much from its previous campaign in November 2018. The malware families dumped as CARROTBALL, would serve as SysCon backdoor and infecting the systems with further malware families. This campaign, as said by Unit 42 researchers, has sent phishing emails with subject line as “The investment climate of North Korea” from a Russian address as “[email protected][.]ru.” Further, the attacker has sent the same to multiple recipients as one to an individual from US government agency, two were of other non-US individuals etc.