The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asi
Contents
This post is also available in: 日本語 (Japanese)
Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various information witnessed within this dropper, Unit 42 has dubbed this malware family CARROTBAT.
CARROTBAT was initially discovered in an attack on December 2017. This attack was made against a British government agency using the SYSCON malware family. SYSCON is a simple remote access Trojan (RAT) that uses the file transfer protocol (FTP) for network communications. While there is no evidence that this attack against a British government agency made use of the CARROTBAT dropper, we found overlaps within this attack’s infrastructure that ultimately lead us to CARROTBAT’s initial discovery, as well as other ties between these …
Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various information witnessed within this dropper, Unit 42 has dubbed this malware family CARROTBAT.
CARROTBAT was initially discovered in an attack on December 2017. This attack was made against a British government agency using the SYSCON malware family. SYSCON is a simple remote access Trojan (RAT) that uses the file transfer protocol (FTP) for network communications. While there is no evidence that this attack against a British government agency made use of the CARROTBAT dropper, we found overlaps within this attack’s infrastructure that ultimately lead us to CARROTBAT’s initial discovery, as well as other ties between these …
IoC
0490e7d24defc2f0a4239e76197f1cba50e7ce4e092080d2f7db13ea0f88120b
0bb099849ed7076177aa8678de65393ef0d66e026ad5ab6805c1c47222f26358
1142dcc02b9ef34dca2f28c22613a0489a653eb0aeafe1370ca4c00200d479e0
1c8351ff968f16ee904031f6fba8628af5ca0db01b9d775137076ead54155968
22b16fa7af7b51880faceb33dd556242331daf7b7749cabd9d7c9735fb56aa10
2547b958f7725539e9bba2a1852a163100daa1927bb621b2837bb88007857a48
26fc6fa6acc942d186a31dc62be0de5e07d6201bdff5d7b2f1a7521d1d909847
2da750b50ac396a41e99752d791d106b686be10c27c6933f0d3afe762d6d0c48
2efdd25a8a8f21c661aab2d4110cd7f89cf343ec6a8674ff20a37a1750708f27
337b8c2aac80a44f4e7f253a149c65312bc952661169066fe1d4c113348cc27b
3663e7b197efe91fb7879a56c29fb8ed196815e0145436ee2fad5825c29de897
3869c738fa80b1e127f97c0afdb6c2e1c15115f183480777977b8422561980dd
3cbccb059225669dcfdc7542ce28666e0b1a227714eaf4b16869808bffe90b96
3e4015366126dcdbdcc8b5c508a6d25c
42e18ef3aaadac5b40a37ec0b3686c0c2976d65c978a2b685fefe50662876ded
59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005
5a2c53a20fd66467e87290f5845a5c7d6aa8d460426abd30d4a6adcffca06b8b
5d1388c23c94489d2a166a429b8802d726298be7eb0c95585f2759cebad040cf
61.14.210.72
62886d8b9289bd92c9b899515ff0c12966b96dd3e4b69a00264da50248254bb7
6c591dddd05a2462e252997dc9d1ba09a9d9049df564d00070c7da36e526a66a
70106ebdbf4411c32596dae3f1ff7bf192b81b0809f8ed1435122bc2a33a2e22
7ae933ed7fc664df4865840f39bfeaf9daeb3b88dcd921a90366635d59bc15f2
7cf37067f08b0b8f9c58a35d409fdd6481337bdc2d5f2152f8e8f304f8a472b6
7d443434c302431734caf1d034c054ad80493c4c703d5aaeafa4a931a496b2ae
7d8376057a937573c099e3afe2d8e4b8ec8cb17e46583a2cab1a4ac4b8be1c97
824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3
87c50166f2ac41bec7b0f3e3dba20c7264ae83b13e9a6489055912d4201cbdfc
8b6b4a0e0945c6daf3ebc8870e3bd37e54751f95162232d85dc0a0cc8bead9aa
92b45e9a3f26b2eef4a86f3dae029f5821cffec78c6c64334055d75dbf2a62ef
9fa69bdc731015aa7bdd86cd311443e6f829fa27a9ba0adcd49fa773fb5e7fa9
a0f53abde0d15497776e975842e7df350d155b8e63d872a914581314aaa9c1dc
a23f95b4a602bdaef1b58e97843e2f38218554eb57397210a1aaa68508843bd0
a943e196b83c4acd9c5ce13e4c43b4f4
ac23017efc19804de64317cbc90efd63e814b5bb168c300cfec4cfdedf376f4f
aef92be267a05cbff83aec0f23d33dfe0c4cdc71f9a424f5a2e59ba62b7091de
ba100e7bac8672b9fd73f2d0b7f419378f81ffb56830f6e27079cb4a064ba39a
ba78f0a6ce53682942e97b5ad7ec76a2383468a8b6cd5771209812b6410f10cb
cf31dac47680ff1375ddaa3720892ed3a7a70d1872ee46e6366e6f93123f58d2
cfe436c1f0ce5eb7ac61b32cd073cc4e4b21d5016ceef77575bef2c2783c2d62
d34aabf20ccd93df9d43838cea41a7e243009a3ef055966cb9dea75d84b2724d
d965627a12063172f12d5375c449c3eef505fde1ce4f5566e27ef2882002b5d0
da94a331424bc1074512f12d7d98dc5d8c5028821dfcbe83f67f49743ae70652
dca9bd1c2d068fc9c84a754e4dcf703629fbe2aa33a089cb50a7e33e073f5cea
e218b19252f242a8f10990ddb749f34430d3d7697cbfb6808542f609d2cbf828
e3b45b2e5d3e37f8774ae22a21738ae345e44c07ff58f1ab7178a3a43590fddd
e527ade24beacb2ef940210ba9acb21073e2b0dadcd92f1b8f6acd72b523c828
e66e416f300c7efb90c383a7630c9cfe901ff9fd
e8381f037a8f70d8fc3ee11a7bec98d6406a289e1372c8ce21cf00e55487dafc
f27d640283372eb805df794ae700c25f789d77165bb98b7174ee03a617a566d4
f459f9cfbd10b136cafb19cbc233a4c8342ad984
f4c00cc0d7872fb756e2dc902f1a22d14885bf283c8e183a81b2927b363f5084
fa712f2bebf30592dd9bba4fc3befced4c727b85a036550fc3ac70d1965f8de5
fceceb104bed6c8e85fff87b1bf06fde5b4a57fe7240b562a51727a37034f659
fe186d04ca6afec2578386b971b5ecb189d8381be055790a9e6f78b3f23c9958
fe8d65287dd40ca0a1fadddc4268268b4a77cdb04a490c1a73aa15b6e4f1dd63
ffd1e66c2385dae0bb6dda186f004800eb6ceaed132aec2ea42b1ddcf12a5c4e
http://61.14.210.72
http://61.14.210.72:7117
http://881.000webhostapp.com
http://NKNews.org
http://a7788.1apps.com/att/1.txt
http://attach10132.1apps.com/1.txt
http://bluemountain.1apps.com/1.txt
http://filer1.1apps.com/1.txt
http://files.000webhost.com
http://ftp.byethost10.com
http://ftp.byethost7.com
http://ftp.bytehost31.org
http://hanbosston.000webhostapp.com/1.txt
http://s8877.1apps.com/vip/1.txt
http://s8877.1apps.com/vip/setup.txt
http://s8877.1apps.com/vip/setup2.txt
http://webhost.com
https://071790.000webhostapp.com/1.txt
https://7077.000webhostapp.com/vic/1.txt
https://881.000webhostapp.com/0_31.doc
https://881.000webhostapp.com/1.txt
https://vnik.000webhostapp.com/1.txt
https://www.webmail-koryogroup.com/keep/1.txt
[email protected]
0bb099849ed7076177aa8678de65393ef0d66e026ad5ab6805c1c47222f26358
1142dcc02b9ef34dca2f28c22613a0489a653eb0aeafe1370ca4c00200d479e0
1c8351ff968f16ee904031f6fba8628af5ca0db01b9d775137076ead54155968
22b16fa7af7b51880faceb33dd556242331daf7b7749cabd9d7c9735fb56aa10
2547b958f7725539e9bba2a1852a163100daa1927bb621b2837bb88007857a48
26fc6fa6acc942d186a31dc62be0de5e07d6201bdff5d7b2f1a7521d1d909847
2da750b50ac396a41e99752d791d106b686be10c27c6933f0d3afe762d6d0c48
2efdd25a8a8f21c661aab2d4110cd7f89cf343ec6a8674ff20a37a1750708f27
337b8c2aac80a44f4e7f253a149c65312bc952661169066fe1d4c113348cc27b
3663e7b197efe91fb7879a56c29fb8ed196815e0145436ee2fad5825c29de897
3869c738fa80b1e127f97c0afdb6c2e1c15115f183480777977b8422561980dd
3cbccb059225669dcfdc7542ce28666e0b1a227714eaf4b16869808bffe90b96
3e4015366126dcdbdcc8b5c508a6d25c
42e18ef3aaadac5b40a37ec0b3686c0c2976d65c978a2b685fefe50662876ded
59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005
5a2c53a20fd66467e87290f5845a5c7d6aa8d460426abd30d4a6adcffca06b8b
5d1388c23c94489d2a166a429b8802d726298be7eb0c95585f2759cebad040cf
61.14.210.72
62886d8b9289bd92c9b899515ff0c12966b96dd3e4b69a00264da50248254bb7
6c591dddd05a2462e252997dc9d1ba09a9d9049df564d00070c7da36e526a66a
70106ebdbf4411c32596dae3f1ff7bf192b81b0809f8ed1435122bc2a33a2e22
7ae933ed7fc664df4865840f39bfeaf9daeb3b88dcd921a90366635d59bc15f2
7cf37067f08b0b8f9c58a35d409fdd6481337bdc2d5f2152f8e8f304f8a472b6
7d443434c302431734caf1d034c054ad80493c4c703d5aaeafa4a931a496b2ae
7d8376057a937573c099e3afe2d8e4b8ec8cb17e46583a2cab1a4ac4b8be1c97
824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3
87c50166f2ac41bec7b0f3e3dba20c7264ae83b13e9a6489055912d4201cbdfc
8b6b4a0e0945c6daf3ebc8870e3bd37e54751f95162232d85dc0a0cc8bead9aa
92b45e9a3f26b2eef4a86f3dae029f5821cffec78c6c64334055d75dbf2a62ef
9fa69bdc731015aa7bdd86cd311443e6f829fa27a9ba0adcd49fa773fb5e7fa9
a0f53abde0d15497776e975842e7df350d155b8e63d872a914581314aaa9c1dc
a23f95b4a602bdaef1b58e97843e2f38218554eb57397210a1aaa68508843bd0
a943e196b83c4acd9c5ce13e4c43b4f4
ac23017efc19804de64317cbc90efd63e814b5bb168c300cfec4cfdedf376f4f
aef92be267a05cbff83aec0f23d33dfe0c4cdc71f9a424f5a2e59ba62b7091de
ba100e7bac8672b9fd73f2d0b7f419378f81ffb56830f6e27079cb4a064ba39a
ba78f0a6ce53682942e97b5ad7ec76a2383468a8b6cd5771209812b6410f10cb
cf31dac47680ff1375ddaa3720892ed3a7a70d1872ee46e6366e6f93123f58d2
cfe436c1f0ce5eb7ac61b32cd073cc4e4b21d5016ceef77575bef2c2783c2d62
d34aabf20ccd93df9d43838cea41a7e243009a3ef055966cb9dea75d84b2724d
d965627a12063172f12d5375c449c3eef505fde1ce4f5566e27ef2882002b5d0
da94a331424bc1074512f12d7d98dc5d8c5028821dfcbe83f67f49743ae70652
dca9bd1c2d068fc9c84a754e4dcf703629fbe2aa33a089cb50a7e33e073f5cea
e218b19252f242a8f10990ddb749f34430d3d7697cbfb6808542f609d2cbf828
e3b45b2e5d3e37f8774ae22a21738ae345e44c07ff58f1ab7178a3a43590fddd
e527ade24beacb2ef940210ba9acb21073e2b0dadcd92f1b8f6acd72b523c828
e66e416f300c7efb90c383a7630c9cfe901ff9fd
e8381f037a8f70d8fc3ee11a7bec98d6406a289e1372c8ce21cf00e55487dafc
f27d640283372eb805df794ae700c25f789d77165bb98b7174ee03a617a566d4
f459f9cfbd10b136cafb19cbc233a4c8342ad984
f4c00cc0d7872fb756e2dc902f1a22d14885bf283c8e183a81b2927b363f5084
fa712f2bebf30592dd9bba4fc3befced4c727b85a036550fc3ac70d1965f8de5
fceceb104bed6c8e85fff87b1bf06fde5b4a57fe7240b562a51727a37034f659
fe186d04ca6afec2578386b971b5ecb189d8381be055790a9e6f78b3f23c9958
fe8d65287dd40ca0a1fadddc4268268b4a77cdb04a490c1a73aa15b6e4f1dd63
ffd1e66c2385dae0bb6dda186f004800eb6ceaed132aec2ea42b1ddcf12a5c4e
http://61.14.210.72
http://61.14.210.72:7117
http://881.000webhostapp.com
http://NKNews.org
http://a7788.1apps.com/att/1.txt
http://attach10132.1apps.com/1.txt
http://bluemountain.1apps.com/1.txt
http://filer1.1apps.com/1.txt
http://files.000webhost.com
http://ftp.byethost10.com
http://ftp.byethost7.com
http://ftp.bytehost31.org
http://hanbosston.000webhostapp.com/1.txt
http://s8877.1apps.com/vip/1.txt
http://s8877.1apps.com/vip/setup.txt
http://s8877.1apps.com/vip/setup2.txt
http://webhost.com
https://071790.000webhostapp.com/1.txt
https://7077.000webhostapp.com/vic/1.txt
https://881.000webhostapp.com/0_31.doc
https://881.000webhostapp.com/1.txt
https://vnik.000webhostapp.com/1.txt
https://www.webmail-koryogroup.com/keep/1.txt
[email protected]