U.S. Govt Agency Hit With New CARROTBALL Malware Dropper

A new malware called CARROTBALL, used as a second-stage payload in targeted attacks, was distributed in phishing email attachments delivered to a U.S. government agency and non-US foreign nationals professionally affiliated with current activities in North Korea.

CARROTBALL came in a Microsoft Word document acting as a lure for the target, from a Russian email address. The topic was geopolitical relations issues regarding North Korea, Bleeping Computer reported.

Experts Comments

January 27, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
Spear phishing has long been a tool of adversaries and cyber criminals, and a very effective one at that. This type of an attack is no surprise, however it is obvious that the attackers have a very focused audience in this case. We have seen similar attacks where the phishing email was sent in a foreign language along with a convenient link to translate it, which was actually a link to an infected site. These types of attacks are very effective against those who expect to see foreign themed.....Read More
Spear phishing has long been a tool of adversaries and cyber criminals, and a very effective one at that. This type of an attack is no surprise, however it is obvious that the attackers have a very focused audience in this case. We have seen similar attacks where the phishing email was sent in a foreign language along with a convenient link to translate it, which was actually a link to an infected site. These types of attacks are very effective against those who expect to see foreign themed messages due to the nature of their work. This is why educating people on how to hover over links in emails in order to find their real destination and how to spot the other red flags in phishing emails have never been more important. The use of FTP as a command and control channel reinforces the need to not only filter incoming internet traffic at the firewalls, but also limit and monitor outbound traffic to required services. FTP is a protocol that is not need by a majority of people, yet allows command and control channels as in this case, or more commonly, data exfiltration.  Read Less
January 27, 2020
Richard Bejtlich
Principal Security Strategist
Corelight
Because of the protocols used in this campaign, network security monitoring practitioners have a chance to gather the evidence they need to detect and respond to individual attacks. The intruders used file transfer protocol to transfer files that are executed as commands on victim systems. Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred, defenders can leverage network forensics to identify the scope and nature of this.....Read More
Because of the protocols used in this campaign, network security monitoring practitioners have a chance to gather the evidence they need to detect and respond to individual attacks. The intruders used file transfer protocol to transfer files that are executed as commands on victim systems. Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred, defenders can leverage network forensics to identify the scope and nature of this activity.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.