The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks
Contents
This post is also available in: 日本語 (Japanese)
Executive Summary
Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see Attribution section below for more details) used to primarily target a US government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments. The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.
CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2). It was found embedded in a malicious Word document sent as a phishing lure to a US government agency and two non-US foreign nationals professionally associated with …
Executive Summary
Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see Attribution section below for more details) used to primarily target a US government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments. The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.
CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2). It was found embedded in a malicious Word document sent as a phishing lure to a US government agency and two non-US foreign nationals professionally associated with …
IoC
162.253.155.226
185.176.43.94
42e874d96cb9046cd4113d04c1c5463b1d43a4e828ca872de11c08cd314e650f
4958fe8c106200da988c22957821513efd05803460e8e5fcfedb5cbca8d87a5b
4b8790e9cb2f58293c28e695bec0a35e2ebd2da8e151c7e8c4513a1508c8bc94
4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2
56924402a17393e542f6bf5b02cd030cc3af73bc2e1c894a133cebb2ca9405ee
63c3817a5e9984aaf59e8a61ddd54793ffed11ac5becef438528447f6b2823af
69.197.143.12
6fa895d0472e87dea3c5c5bd6774488d2d7fe409ff9ae83870be3740fdfd40e8
7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c
989c042ab9a07b11026bce78dc091f25fa51cb5e310c668904afc7939b197624
9dfe3afccada40a05b8b34901cb6a63686d209e2b92630596646dba8ee619225
a4f858c6b54683d3b7455c9adcf2bb6b7ddc1f4d35d0f8f38a0f131c60d1790f
a761b47ab25dc2aa66b2f8ad4ab9636e40ebbcaf67f8a34f3524456c09f47d76
ad63b8677c95792106f5af0b99af04e623146c6206125c93cf1ec9fbfeafaac9
[email protected]
[email protected]
bdd90ed7e40c8324894efe9600f2b26fd18b22dcbf3c72548fee647a81d3c099
c1a9b923fc1f81d69bd0494d296c75887e4a0f9abfc1cdfbfa9c0f4ab6c95db7
c3ac29e4b0c5e1a991d703769b94c0790fbf81fd38cf6acdb240c5246c2517ca
ceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e
ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a
f3d3fa4c76adfabd239accb453512af33ae8667bf261758f402fff22d9df1f67
http://162.253.155.226
http://185.176.43.94
http://69.197.143.12
http://downplease.c1.biz
http://downyes.c1.biz
http://handicap.eu5.org
http://lookplease.c1.biz
http://mail.ru
http://panda2019.eu5.org
185.176.43.94
42e874d96cb9046cd4113d04c1c5463b1d43a4e828ca872de11c08cd314e650f
4958fe8c106200da988c22957821513efd05803460e8e5fcfedb5cbca8d87a5b
4b8790e9cb2f58293c28e695bec0a35e2ebd2da8e151c7e8c4513a1508c8bc94
4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2
56924402a17393e542f6bf5b02cd030cc3af73bc2e1c894a133cebb2ca9405ee
63c3817a5e9984aaf59e8a61ddd54793ffed11ac5becef438528447f6b2823af
69.197.143.12
6fa895d0472e87dea3c5c5bd6774488d2d7fe409ff9ae83870be3740fdfd40e8
7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c
989c042ab9a07b11026bce78dc091f25fa51cb5e310c668904afc7939b197624
9dfe3afccada40a05b8b34901cb6a63686d209e2b92630596646dba8ee619225
a4f858c6b54683d3b7455c9adcf2bb6b7ddc1f4d35d0f8f38a0f131c60d1790f
a761b47ab25dc2aa66b2f8ad4ab9636e40ebbcaf67f8a34f3524456c09f47d76
ad63b8677c95792106f5af0b99af04e623146c6206125c93cf1ec9fbfeafaac9
[email protected]
[email protected]
bdd90ed7e40c8324894efe9600f2b26fd18b22dcbf3c72548fee647a81d3c099
c1a9b923fc1f81d69bd0494d296c75887e4a0f9abfc1cdfbfa9c0f4ab6c95db7
c3ac29e4b0c5e1a991d703769b94c0790fbf81fd38cf6acdb240c5246c2517ca
ceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e
ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a
f3d3fa4c76adfabd239accb453512af33ae8667bf261758f402fff22d9df1f67
http://162.253.155.226
http://185.176.43.94
http://69.197.143.12
http://downplease.c1.biz
http://downyes.c1.biz
http://handicap.eu5.org
http://lookplease.c1.biz
http://mail.ru
http://panda2019.eu5.org