CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.^[1]^[2]

ID: S0462

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 02 June 2020

Last Modified: 15 June 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	CARROTBAT has the ability to execute command line arguments on a compromised host.^[2]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	CARROTBAT has the ability to delete downloaded files from a compromised host.^[1]
Enterprise	T1105		Ingress Tool Transfer	CARROTBAT has the ability to download and execute a remote file via certutil.^[1]
Enterprise	T1027		Obfuscated Files or Information	CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.^[1]
Enterprise	T1082		System Information Discovery	CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.^[1]^[2]

References

Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.

McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.

CARROTBAT

Enterprise Layer

Techniques Used

References