S0462 CARROTBAT
CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.12
| Item | Value |
|---|---|
| ID | S0462 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 02 June 2020 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | CARROTBAT has the ability to execute command line arguments on a compromised host.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | CARROTBAT has the ability to delete downloaded files from a compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | CARROTBAT has the ability to download and execute a remote file via certutil.1 |
| enterprise | T1027 | Obfuscated Files or Information | CARROTBAT has the ability to download a base64 encoded payload.1 |
| enterprise | T1027.010 | Command Obfuscation | CARROTBAT has the ability to execute obfuscated commands on the infected host.1 |
| enterprise | T1082 | System Information Discovery | CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.12 |
References
-
Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. ↩↩↩↩↩↩
-
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. ↩↩↩