A phishing campaign targeting the Korean peninsula is using a malicious dropper called CARROTBAT to deliver decoy documents and secondary payloads such as remote access trojans to its victims.

Dubbed Fractured Block, the campaign began last March, but has noticeably picked up steam in the last three months, according to a blog post by Josh Grunzweig and Kyle Wilhoit, researchers at Palo Alto Networks' Unit 42 division.

Unit 42 has so far identified 29 unique CARROTBAT samples, noting that their final payloads have varied between the FTP-based RAT SYSCON and the recently discovered Oceansalt malware implant that uses code associated with APT1 (aka Comment Crew), a reputed Chinese APT actor.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.