A phishing campaign targeting the Korean peninsula is using a malicious dropper called CARROTBAT to deliver decoy documents and secondary payloads such as remote access trojans to its victims.
Dubbed Fractured Block, the campaign began last March, but has noticeably picked up steam in the last three months, according to a blog post by Josh Grunzweig and Kyle Wilhoit, researchers at Palo Alto Networks’ Unit 42 division.
Unit 42 has so far identified 29 unique CARROTBAT samples, noting that their final payloads have varied between the FTP-based RAT SYSCON and the recently discovered Oceansalt malware implant that uses code associated with APT1 (aka Comment Crew), a reputed Chinese APT actor.
Unit 42 describes CARROTBAT as “a dropper that allows an attacker to drop and open an embedded decoy file” saved as one of 11 different formats, “followed by the execution of a command that will download and run a payload on the targeted machine. This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility.”
The subject matter used in the CARROTBOT phishing lures have typically related to either cryptocurrencies or politics, explain Grunzweig and Wilhoit. Examples of the former included a business card from COINVIL, an organization that had announced plans to build a Philippines-based cryptocurrency exchange, as well as .hwp documents pertaining to the Bitzet and Idex crypto exchanges. Political phishing lures referenced U.S.-North Korean relations and President Donald Trump’s summit with North Korean leader King Jong-un in Singapore.
CARROTBAT was initially discovered in December 2017, the blog post notes, while researchers were investigating a phishing attack on a British government agency that also used U.S.-North Korean relations as a lure. CARROTBAT was not actually used as a dropper in this case, but it was uncovered while examining the attackers’ infrastructure, which was designed to spread SYSCON malware.
In addition to SYSCON, Palo Alto Networks also found overlapping infrastructure with KONNI malware, a malicious remote administration tool (RAT) known to target the Southeast Asia region and abuse free web hosting providers for its C2 infrastructure.
“Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity,” the researchers explain in the blog post. “The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.”