Opencarrot

OpenCarrot is a malicious software (malware) that targets Windows operating systems, enabling unauthorized access and control over infected machines. Identified by IBM XForce, it has been linked to the activities of the Lazarus Group, a North Korean cyber threat operation known for its sophisticated attacks. The malware supports a wide range of functionalities, including reconnaissance, file system and process manipulation, reconfiguration and connectivity commands, and monitoring of new USB drives for potential lateral movement within an infected network. It also features relatively long sleep time periods, a characteristic often seen among Lazarus Group malware. The malware was discovered in two instances of North Korea-related compromise of sensitive internal IT infrastructure within a Russian Defense Industrial Base (DIB) organization, NPO Mashinostoyeniya, a missile and satellite developer. The criminals infiltrated the defense firm's email server and deployed OpenCarrot, allowing them total takeover of the infected machines and coordination across the compromised network. SentinelOne, a cybersecurity company, attributes the hack of the mail server to the ScarCruft APT group, while linking the deployment of OpenCarrot backdoor to the Lazarus Group. Further investigation into a leaked NPO Mashinostroyeniya email indicated a cyber incident involving the deployment of a malicious DLL on their systems in May. This led to the discovery that the missile maker had been impacted by the OpenCarrot backdoor malware, as reported by SentinelLabs. The presence of the OpenCarrot Windows OS backdoor was noted by researchers during their analysis, highlighting the continued threat posed by this malware and its associated threat groups.