The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia
(Nov 29, 2018)
A new malware campaign has been discovered that is targeting entities located in Southeast Asia, according to Unit 42 researchers. The threat actors behind this campaign were observed using a new, custom dropper that distribute lures themed around North and South Korea. The campaign, dubbed “Fractured Block,” attempts to distribute and subsequently infect machines with a malware family dubbed “CARROTBAT,” which refers to the dropper in this campaign. CARROTBAT was first identified in an attack in December 2017 that targeted a British government entity with a Remote Access Trojan (RAT) called “SYSCON” and it was through this connection that researchers identified the Fractured Block campaign. At the time of this writing, researchers have not specified what CARROTBAT’s initial infection vector is, however, they do note that it has been observed dropping decoy files in 11 different document file formats.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense-in-Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.