S0465 CARROTBALL
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.1
| Item | Value |
|---|---|
| ID | S0465 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 02 June 2020 |
| Last Modified | 10 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.002 | File Transfer Protocols | CARROTBALL has the ability to use FTP in C2 communications.1 |
| enterprise | T1105 | Ingress Tool Transfer | CARROTBALL has the ability to download and install a remote payload.1 |
| enterprise | T1027 | Obfuscated Files or Information | CARROTBALL has used a custom base64 alphabet to decode files.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.1 |