CARROTBAT

Carrotbat is a malicious software, or malware, first discovered in December 2017 during an attack. The discovery was made by Unit 42, which dubbed the malware family "Carrotbat". It was found to be related to another attack on a British government agency due to overlaps within the attack infrastructure, although there's no evidence that Carrotbat was used in this particular attack. The malware has been associated with a campaign called 'Fractured Block', and it can infiltrate systems via suspicious downloads, emails, or websites, with the potential to steal personal information, disrupt operations, or hold data for ransom. Since its initial discovery, a total of 29 unique Carrotbat samples have been identified, containing 12 confirmed unique decoy documents. The group behind Carrotbat has been observed to increase the type and complexity of their payload delivery mechanisms over time, starting with simple Base64 strings and later leveraging Carrotbat itself and another malware called Carrotball. The development and use of Carrotball alongside Carrotbat suggest that the group's previous infection methods might be becoming less effective. Unit 42 continued to observe targeted Carrotbat activity into 2019, indicating that both Carrotbat and Carrotball were still being used by the Konni Group. In 2018, Unit 42 had released several blogs on Konni Group's activities and identified two new malware families, Nokki and Carrotbat, that the group was using in their attacks. AutoFocus customers can track these samples using various tags including FracturedStatue, Syscon, Konni, Carrotbat, and Carrotball.