A new malware called CARROTBALL, used as a second-stage payload in targeted attacks, was distributed in phishing email attachments delivered to a U.S. government agency and non-US foreign nationals professionally affiliated with current activities in North Korea.
CARROTBALL came in a Microsoft Word document acting as a lure for the target, from a Russian email address. The topic was geopolitical relations issues regarding North Korea.
Spear phishing from Russian emails
Researchers at Palo Alto Networks' Unit 42 analyzing a campaign between July and October 2019 noticed multiple malware families that are normally attributed to a threat group they refer to as KONNI. This campaign, which the researchers call Fractured Statue, used six unique document lures sent from four unique Russian email addresses.
... ....