CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[1][2]

ID: S0462
Platforms: Windows
Version: 1.0
Created: 02 June 2020
Last Modified: 15 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

CARROTBAT has the ability to execute command line arguments on a compromised host.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

CARROTBAT has the ability to delete downloaded files from a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

CARROTBAT has the ability to download and execute a remote file via certutil.[1]

Enterprise T1027 Obfuscated Files or Information

CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.[1]

Enterprise T1082 System Information Discovery

CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.[1][2]