Hackers Used New Tools for Targeting US Government Agency

A new report indicates that the US government agency was targeted by hackers, who conducted their attack between July and October 2019. The attackers targeted the agency’s employees with spear-phishing emails which were also using numerous malware strains.

U.S. Gov Agency Targeted With #Malware-Laced Emails: The malicious email campaign included a never-before-seen malware downloader called #Carrotball, and may be linked to the APT group #Konni. https://t.co/964MaTVJjW via @threatpost

— Argha 🏏 📚 💻 (@StringsVsAtoms) January 24, 2020

One significant detail, however, is the use of an entirely new malware downloader that researchers have encountered for the first time. They named the downloader ‘Carrotball,’ while the campaign itself was titled ‘Fractured Statue.’ Reports indicate that the campaign involved around 6 unique malicious document baits and that it was conducted from four Russian email addresses. The attackers targeted ten different individuals, and the documents that were sent to them were in Russian, as well, but they concerned the issues with North Korea. A member of the Unit 42 research group from Palo Alto Networks, Adrian McCabe, commented by saying that the campaign offers clear evidence that the tactics, techniques, and procedures are still quite relevant. The group that had conducted the attack is likely still quite active. However, he also noted that the development and use of the new downloader, Carrotball, as well as an older delivery mechanism, Carrotbat, indicates that the group’s older methods were likely ineffective. As mentioned, hackers targeted individuals working for the government, and they did so in three attack waves. The first one came between July 15th and July 17th last year. The next one was significantly longer, lasting between August 15th and September 14th. The last one took place on October 29th, according to researchers. The emails came from different email addresses, and they concerned numerous subjects, mostly related to the geopolitical situation in North Korea. After the documents were downloaded, several malware families were used for infecting the device, including Carrotbat and Carrotball. Researchers suspect that the group behind the attack may be Konni Group, which emerged in 2014. However, it is best known for the 2018 campaigns that used two malware families — Carrotball and NOKKI malware.