What Is It?

A recent blog entry by Palo Alto Network’s Unit 42 research team details a campaign, which they have named Fractured Statue, of malicious phishing emails sent to employees of an unnamed U.S. government agency. These phishing emails contained malicious Word documents which executed two different downloaders. Unit 42 refers to these downloaders as CARROTBAT and a newer variant they dubbed CARROTBALL. The payload downloaded by both was a variant of a RAT (Remote Access Trojan) called SYSCON. The campaign was initially discovered in October 2019 but was found to have occurred during the period between July and October 2019.

Researchers detailed three specific attacks that occurred as part of the overall campaign, all utilizing a similar attack chain. The first attack covered a few days in the middle of July 2019 and consisted of targeted phishing emails sent to five employees of a U.S. government agency from two email addresses in the .ru (Russia) domain. The emails contained Word documents, written in Russian, with Russian filenames, with textual contents  related to tensions between North Korea and the West. The documents also contained a malicious macro that downloaded and executed a variant of the SYSCON RAT.

One month later, the second attack was launched, occurring over a one-month period from mid-August to mid-September. This attack targeted three additional employees of the same U.S. government agency as the first attack. This time, the malicious documents and the body of the emails utilized both Russian and English and again the downloaded payload was the SYSCON RAT.

The final attack occurred at the end of October 2019 and initially targeted two foreign nationals related to the political situation in North Korea. The malicious documents in this final attack used a different macro, but still resulted in the installation of the SYSCON RAT.

The SYSCON RAT has been seen in the wild since the latter part of 2017. SYSCON is notable for the fact that it utilizes an FTP for its command and control (C2) communication, rather than the more common use of web (HTTP) connections. Previous campaigns making use of SYSCON have also made reference to North Korea, though it should not be assumed the campaigns are orchestrated by North Korean entities. Rather than web traffic, communication between SYSCON and its C2 site occurs by uploading and downloading encoded and zipped files .

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector for this campaign is malicious Microsoft Word documents.

When/How Did BluVector Detect It?

Eight samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 48 months prior to their release.