A new malware called CARROTBALL, used as a second-stage payload in targeted attacks, was distributed in phishing email attachments delivered to a U.S. government agency and non-US foreign nationals professionally affiliated with current activities in North Korea.
CARROTBALL came in a Microsoft Word document acting as a lure for the target, from a Russian email address. The topic was geopolitical relations issues regarding North Korea, Bleeping Computer reported.
U.S. Govt Agency Hit with New CARROTBALL Malware Dropper – by @Ionut_Ilascuhttps://t.co/xrDRnze6lw
— BleepingComputer (@BleepinComputer) January 24, 2020
Spear phishing has long been a tool of adversaries and cyber criminals, and a very effective one at that. This type of an attack is no surprise, however it is obvious that the attackers have a very focused audience in this case. We have seen similar attacks where the phishing email was sent in a foreign language along with a convenient link to translate it, which was actually a link to an infected site. These types of attacks are very effective against those who expect to see foreign themed messages due to the nature of their work. This is why educating people on how to hover over links in emails in order to find their real destination and how to spot the other red flags in phishing emails have never been more important.
The use of FTP as a command and control channel reinforces the need to not only filter incoming internet traffic at the firewalls, but also limit and monitor outbound traffic to required services. FTP is a protocol that is not need by a majority of people, yet allows command and control channels as in this case, or more commonly, data exfiltration.
Because of the protocols used in this campaign, network security monitoring practitioners have a chance to gather the evidence they need to detect and respond to individual attacks. The intruders used file transfer protocol to transfer files that are executed as commands on victim systems. Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred, defenders can leverage network forensics to identify the scope and nature of this activity.