Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats

Palo Alto Networks recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Experts from Palo Alto Networks have recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Security experts from Palo Alto Networks have discovered a malware dropper, dubbed CARROTBAT, that could support a dozen decoy document file formats to drop many payloads.

Even if CARROTBAT was first discovered in March 2018, in the past three months experts observed an intensification of the activity associated with the dropper.

CARROTBAT was spotted while threat actors were using it to drop payloads in South and North Korea region, attackers were using subjects such as crypto-currencies, crypto-currency exchanges, and political events for the decoy documents.

“Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events.” reads the analysis published by Palo Alto Networks.

CARROTBAT was used in an attack against a British government agency in December, at the time threat actors used the decoy documents to drop the SYSCON backdoor.

Palo Alto Networks detected 29 unique CARROTBAT samples since its discovery, they contained a total of 12 unique decoy documents.

Palo Alto Networks tracked the CARROTBAT attacks as Fractured Block, the attackers used 11 decoy document file formats (.doc, .docx, .eml, .hwp, .jpg, .pdf, .png, .ppt, .pptx, .xls, and .xlsx.)

In March attackers were using the dropper to deliver different payloads, including old versions of the SYSCON RAT and new sample of the OceanSalt malware.

Experts pointed out that CARROTBAT is not sophisticated and implements a rudimentary command obfuscation.

Once the embedded decoy document is opened, an obfuscated command is executed on the system to download and execute a remote file via the Microsoft Windows built-in certutil utility.

The analysis of timestamps associated with CARROTBAT samples revealed they have been compiled between March 2018 and September 2018.

Experts observed between March and July attackers using the dropper to deliver multiple instances of SYSCON. Since June, OceanSalt attackers started using it too.

Experts discovered an infrastructure overlap between the CARROTBAT and KONNI malware families.

Cisco Talos team discovered the KONNI malware in May when it was used in targeted attacks aimed at organizations linked to North Korea.

The malware, dubbed by researchers “KONNI,” was undetected for more than 3 years and was used in highly targeted attacks. It was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

On August, experts at Cylance noticed that the decoy document used in KONNI attacks is similar to the one used in recent campaigns of the DarkHotel APT.

“Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity.”  Palo Alto Networks concludes. 

“The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.”

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)


The post Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats appeared first on Security Affairs.