CARROTBAT

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Carrotbat is a malicious software, or malware, first discovered in December 2017 during an attack. The discovery was made by Unit 42, which dubbed the malware family "Carrotbat". It was found to be related to another attack on a British government agency due to overlaps within the attack infrastructure, although there's no evidence that Carrotbat was used in this particular attack. The malware has been associated with a campaign called 'Fractured Block', and it can infiltrate systems via suspicious downloads, emails, or websites, with the potential to steal personal information, disrupt operations, or hold data for ransom. Since its initial discovery, a total of 29 unique Carrotbat samples have been identified, containing 12 confirmed unique decoy documents. The group behind Carrotbat has been observed to increase the type and complexity of their payload delivery mechanisms over time, starting with simple Base64 strings and later leveraging Carrotbat itself and another malware called Carrotball. The development and use of Carrotball alongside Carrotbat suggest that the group's previous infection methods might be becoming less effective. Unit 42 continued to observe targeted Carrotbat activity into 2019, indicating that both Carrotbat and Carrotball were still being used by the Konni Group. In 2018, Unit 42 had released several blogs on Konni Group's activities and identified two new malware families, Nokki and Carrotbat, that the group was using in their attacks. AutoFocus customers can track these samples using various tags including FracturedStatue, Syscon, Konni, Carrotbat, and Carrotball.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CARROTBALL
1
None
SYSCON
1
In January 2023, the McAfee Advanced Threat Research team discovered a new variant of the SYSCON backdoor malware being used in an operation. This variant appeared in a malicious Word document containing a Visual Basic macro that dropped and executed an upgraded version of the implant. The malware w
KONNI
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
NOKKI
1
NOKKI is a malicious software (malware) that was first identified in January 2018, with activities traced throughout the year. It originated from an investigation into a new malware family named NOKKI, which showed significant code overlap and other ties to KONNI, a previously identified malware. Th
Fracturedstatue
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
CARROTBALL
Payload
Malware
Decoy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OceanSaltUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Konni GroupUnspecified
1
The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CARROTBAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks
MITRE
a year ago
The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia