The Fractured Statue Campaign: U.S. Government Targeted in Spearphishing Attacks (Jan 23, 2020)
Unit42 have identified malware families related to the Konni group targeting US government agencies by leveraging the socio-geopolitical tensions between North Korea and the U.S. to lure targets into opening malicious email attachments. Konni was originally used to refer to a Remote Access Trojan (RAT) linked with targeted campaigns from North Korea due to large overlaps in TTPs, without using the RAT itself. Researchers from Unit 42 now refer to the group behind these operations as “Konni Group” with activity first being cited in July 2019. Malwares included in these operations include SYSCON payloads as well as the new namely downloader “CARROTBALL”. Each malicious document attached comes from Russian email addresses with the lures being written in Russian. The documents consistently used the newly named second-stage downloader CARROTBALL to download SYSCON payloads primarily.
Recommendation: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.