Opencarrot

Malware updated 23 days ago (2024-11-29T14:23:26.144Z)
Download STIX
Preview STIX
OpenCarrot is a malicious software (malware) that targets Windows operating systems, enabling unauthorized access and control over infected machines. Identified by IBM XForce, it has been linked to the activities of the Lazarus Group, a North Korean cyber threat operation known for its sophisticated attacks. The malware supports a wide range of functionalities, including reconnaissance, file system and process manipulation, reconfiguration and connectivity commands, and monitoring of new USB drives for potential lateral movement within an infected network. It also features relatively long sleep time periods, a characteristic often seen among Lazarus Group malware. The malware was discovered in two instances of North Korea-related compromise of sensitive internal IT infrastructure within a Russian Defense Industrial Base (DIB) organization, NPO Mashinostoyeniya, a missile and satellite developer. The criminals infiltrated the defense firm's email server and deployed OpenCarrot, allowing them total takeover of the infected machines and coordination across the compromised network. SentinelOne, a cybersecurity company, attributes the hack of the mail server to the ScarCruft APT group, while linking the deployment of OpenCarrot backdoor to the Lazarus Group. Further investigation into a leaked NPO Mashinostroyeniya email indicated a cyber incident involving the deployment of a malicious DLL on their systems in May. This led to the discovery that the missile maker had been impacted by the OpenCarrot backdoor malware, as reported by SentinelLabs. The presence of the OpenCarrot Windows OS backdoor was noted by researchers during their analysis, highlighting the continued threat posed by this malware and its associated threat groups.
Description last updated: 2024-05-04T21:05:53.565Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The ScarCruft Threat Actor is associated with Opencarrot. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery meUnspecified
2