Researchers uncover phishing campaign tied to CARROTBAT dropper

In a blog post on 29th November, Josh Grunzweig and Kyle Wilhoit, researchers at Palo Alto Networks’ Unit 42 division reported their findings regarding the CARROTBAT dropper which has been targeting the Korean region.

Background: A phishing campaign targeting the Korean peninsula, named Fractured Block first began last March, but has significantly grown in activity in the last three months, according to the Unit 42 division researchers. It is using a malicious dropper CARROTBAT to deliver decoy documents and other payloads like trojans to its targets.

In the blog post, Grunzweig and Wilhoit write:

• “Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various information witnessed within this dropper, Unit 42 has dubbed this malware family CARROTBAT.”
• “CARROTBAT was initially discovered in an attack on December 2017. This attack was made against a British government agency using the SYSCON malware family. SYSCON is a simple remote access Trojan (RAT) that uses the file transfer protocol (FTP) for network communications. While there is no evidence that this attack against a British government agency made use of the CARROTBAT dropper, we found overlaps within this attack’s infrastructure that ultimately lead us to CARROTBAT’s initial discovery, as well as other ties between these two malware families.”
• “In total, 29 unique CARROTBAT samples have been identified to date, containing a total of 12 confirmed unique decoy documents. These samples began appearing in March of this year, with the majority of activity taking place within the past 3 months. The payloads vary, as earlier instances delivered SYSCON, while newer instances are delivering the previously reported OceanSalt malware family. CARROTBAT and their associated payloads constitute a campaign that we are dubbing ‘Fractured Block’.”
• The CARROTBAT dropper is "a dropper that allows an attacker to drop and open an embedded decoy file" saved as one of 11 different formats, "followed by the execution of a command that will download and run a payload on the targeted machine. This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility."
• The CARROTBOT phishing lures have subjects typically related to either cryptocurrencies or politics, according to Grunzweig and Wilhoit.
  “These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events.”

Origins of CARROTBAT

The researchers noted that the initial discovery resulted from an investigation of a phishing attack on a British government agency which also used news articles on US-North Korea relations as a lure. Though CARROTBAT wasn’t used as a dropper in this attack, it was later uncovered while investigating the attackers’ infrastructure.

The researchers found overlapping infrastructure with KONNI malware and SYSCON malware. KONNI malware notably, is a malicious remote administration tool (RAT) found targeting Southeast Asian region and abuse free web hosting providers for its C2 infrastructure.

The researchers conclude:

• “Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity. The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.”