CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[1]

ID: S0465
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 02 June 2020
Last Modified: 10 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

CARROTBALL has the ability to use FTP in C2 communications.[1]

Enterprise T1105 Ingress Tool Transfer

CARROTBALL has the ability to download and install a remote payload.[1]

Enterprise T1027 Obfuscated Files or Information

CARROTBALL has used a custom base64 alphabet to decode files.[1]

Enterprise T1204 .002 User Execution: Malicious File

CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.[1]