Cyber Incident Victim: Fractured Statue

The Fractured Statue campaign occurred between July and October 2019, targeting a U.S. government agency and non-U.S. foreign nationals professionally affiliated with North Korean activities. Attackers sent phishing emails from four Russian email addresses containing six unique malicious Microsoft Word document lures. These documents, themed around North Korean geopolitical relations, delivered malware payloads when opened. Five documents utilized the CARROTBAT dropper, first observed in a 2017 attack against a British government agency, while one document in the final wave delivered a new malware family called CARROTBALL. Both droppers downloaded and installed SYSCON, a full-featured remote access trojan that communicated with command-and-control servers via FTP. The campaign unfolded in three distinct waves, with the final wave occurring in October 2019 using an email titled "The investment climate of North Korea" sent from the address "pryakhin20l0@mail[.]ru."

Initial waves employed a consistent macro technique that checked the victim's Windows architecture, executed commands hidden in document textboxes, then cleared forensic evidence by deleting textboxes and saving the file. The final wave introduced technical evolution with CARROTBALL's delivery mechanism, which embedded a Windows binary as hex bytes delimited by pipe characters within the macro. Upon execution, the macro converted these hex bytes into binary executable files on disk. Researchers from Palo Alto Networks' Unit 42 attributed the campaign with moderate confidence to the KONNI threat group, noting alignment with North Korean interests but acknowledging potential false-flag operations due to publicly available technical details about KONNI's tactics. The campaign demonstrated progression in tactics while maintaining core operational patterns observed in the group's November 2018 activities, particularly through the continued use of document-based initial access and SYSCON RAT deployment.