US Agency Hit With N. Korean-Themed Phishing: ReportResearchers Suspect Konni APT Group Involved
A spear-phishing campaign targeted a U.S. government agency for several months last year using emails with content about North Korea geopolitics as a lure, according to an analysis from Palo Alto Networks' Unit 42.
The campaign, which the researchers dubbed "Fractured Statue," was active between July and October 2019, the analysis found. It targeted five employees at a U.S. government agency – which the report did not identify - as well as two foreign nationals who had professional ties to North Korea, according to the Unit 42 report.
The goal of the campaign was to plant malware within the IT network of the government agency and gain remote access to different devices and systems, the report states. The agency's security defenses, however, stopped the hackers from planting the malware within devices, says Adrian McCabe, senior threat researcher for Unit 42.
The spear-phishing emails, as well as other details, were then provided to a Unit 42 researcher who conducted the analysis, McCabe says.
" While looking through behavioral-based spear-phishing indicators, an associated document containing malicious macros was subsequently identified," McCabe told Information Security Media Group. "From that initial lead, we were able to continue our investigation."
Unit 42 researchers say they have "moderate confidence" that an advanced persistent threat group called "Konni" was responsible for the spear-phishing campaign. The remote access Trojans, or RATs, used against the government agency and the individuals in the campaign are similar to malware used by Konni in other attacks, the report notes.
The Konni group has been active since at least 2014 and has taken an interest in victims and targets with ties or business interests in North Korea, according to Unit 42 and Cisco Talos.
"Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni group used to primarily target a U.S. government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments," Unit 42 researchers report.
McCabe says that Unit 42 continues to track Konni and its activities.
The campaign targeting the U.S. government agency came in three waves, Unit 42 researchers say: the first between July 15 and July 17, 2019; the second between Aug. 15 and Sept. 14, 2019; and finally one on Oct. 29.
In each wave, the attackers sent phishing emails that contained attached documents written in Russian pertaining to geopolitical matters related to North Korea, according to Unit 42. The hackers used four Russian email addresses and sent malicious emails to 10 targets, the report shows.
If someone opened the attached documents, malicious macros would attempt to installed a customized dropper that Unit 42 refers to as "Carrotbat," which has been previously been spotted in the wild and is believed to have been used by Konni in other campaigns, according to the report.
In addition, the researchers found a new downloader called "Carrotball," during one of the attacks. It's described as a File Transfer Protocol downloader utility that installs "Syscon," a remote access Trojan. Syscon leverages FTP to communicate with a command-and-control server and creates a backdoor into the network, according to Unit 42.
Once the connection was made between the targeted device and the command-and-control server, the hackers could download additional malware or exfiltrate data from the device or network, according to Unit 42.
Relatively little is known about the Konni group, and it's unclear if it’s affiliated with a nation-state.
The group, which was discovered in 2017 by security researchers at Cisco Talos, uses uniquely designed remote access Trojans as well as social engineering techniques to prompt victims to open email attachments that contain its malware.
"Development and use of the new downloader, Carrotball, alongside the more commonly observed malware delivery mechanism, Carrotbat, may indicate that the previous methods employed by the group to successfully infect their targets are becoming less effective," according to the report.
(Managing Editor Scott Ferguson contributed to this report)