The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asi

2018-11-29 • Paloalto Networks •

https://researchcenter.paloaltonetworks.com/2018/11/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

#FracturedBlock

Unit 42 identified the Fractured Block campaign using CARROTBAT, a previously unreported dropper that delivered decoy documents themed around South Korea, North Korea, cryptocurrency, exchanges, and political events. The activity included a December 2017 spear-phishing email to a senior British government target using a North Korea diplomacy lure and a DDE technique to download a SYSCON payload. CARROTBAT samples opened embedded decoy files and then used Windows certutil-driven commands to retrieve and execute follow-on payloads, with observed payloads including SYSCON and OceanSalt. Infrastructure pivots connected CARROTBAT to KONNI, SYSCON, and OceanSalt activity, but Unit 42 stated the evidence was not sufficient to attribute all of the activity to one actor with certainty.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	071790.000webhostapp.com	2018-11-29	2019-08-29
DOMAIN	vnik.000webhostapp.com	2018-11-29	2019-08-29
DOMAIN	881.000webhostapp.com	2018-11-29	2019-08-29
DOMAIN	attach10132.1apps.com	2018-11-29	2019-08-29
IPv4	61.14.210.72	2018-11-29	2019-08-29
URL	http://filer1.1apps.com/1.txt	2018-11-29	2019-06-10
DOMAIN	filer1.1apps.com	2018-11-29	2019-06-10
HASH	3e4015366126dcdbdcc8b5c508a6d25c	2018-11-29	2019-05-24
URL	http://s8877.1apps.com/vip/1.txt	2018-11-29	2019-05-24
URL	http://a7788.1apps.com/att/1.txt	2018-11-29	2019-05-24
DOMAIN	s8877.1apps.com	2018-11-29	2019-05-24
DOMAIN	a7788.1apps.com	2018-11-29	2019-05-24
DOMAIN	hanbosston.000webhostapp.com	2018-11-29	2019-05-24
HASH	ffd1e66c2385dae0bb6dda186f00480…	2018-11-29	2018-11-29
HASH	7cf37067f08b0b8f9c58a35d409fdd6…	2018-11-29	2018-11-29
HASH	7ae933ed7fc664df4865840f39bfeaf…	2018-11-29	2018-11-29
HASH	d965627a12063172f12d5375c449c3e…	2018-11-29	2018-11-29
HASH	f459f9cfbd10b136cafb19cbc233a4c…	2018-11-29	2018-11-29
HASH	26fc6fa6acc942d186a31dc62be0de5…	2018-11-29	2018-11-29
HASH	a0f53abde0d15497776e975842e7df3…	2018-11-29	2018-11-29
HASH	e3b45b2e5d3e37f8774ae22a21738ae…	2018-11-29	2018-11-29
HASH	6c591dddd05a2462e252997dc9d1ba0…	2018-11-29	2018-11-29
HASH	fe8d65287dd40ca0a1fadddc4268268…	2018-11-29	2018-11-29
HASH	87c50166f2ac41bec7b0f3e3dba20c7…	2018-11-29	2018-11-29
HASH	fa712f2bebf30592dd9bba4fc3befce…	2018-11-29	2018-11-29
HASH	ba100e7bac8672b9fd73f2d0b7f4193…	2018-11-29	2018-11-29
HASH	8b6b4a0e0945c6daf3ebc8870e3bd37…	2018-11-29	2018-11-29
HASH	cfe436c1f0ce5eb7ac61b32cd073cc4…	2018-11-29	2018-11-29
HASH	92b45e9a3f26b2eef4a86f3dae029f5…	2018-11-29	2018-11-29
HASH	42e18ef3aaadac5b40a37ec0b3686c0…	2018-11-29	2018-11-29
HASH	f4c00cc0d7872fb756e2dc902f1a22d…	2018-11-29	2018-11-29
HASH	0bb099849ed7076177aa8678de65393…	2018-11-29	2018-11-29
HASH	fceceb104bed6c8e85fff87b1bf06fd…	2018-11-29	2018-11-29
HASH	7d8376057a937573c099e3afe2d8e4b…	2018-11-29	2018-11-29
HASH	9fa69bdc731015aa7bdd86cd311443e…	2018-11-29	2018-11-29
HASH	5a2c53a20fd66467e87290f5845a5c7…	2018-11-29	2018-11-29
HASH	3cbccb059225669dcfdc7542ce28666…	2018-11-29	2018-11-29
HASH	22b16fa7af7b51880faceb33dd55624…	2018-11-29	2018-11-29
HASH	e66e416f300c7efb90c383a7630c9cf…	2018-11-29	2018-11-29
HASH	3869c738fa80b1e127f97c0afdb6c2e…	2018-11-29	2018-11-29
HASH	fe186d04ca6afec2578386b971b5ecb…	2018-11-29	2018-11-29
HASH	62886d8b9289bd92c9b899515ff0c12…	2018-11-29	2018-11-29
HASH	5d1388c23c94489d2a166a429b8802d…	2018-11-29	2018-11-29
HASH	59b023b30d8a76c5984fe62d2e75187…	2018-11-29	2018-11-29
HASH	2da750b50ac396a41e99752d791d106…	2018-11-29	2018-11-29
HASH	337b8c2aac80a44f4e7f253a149c653…	2018-11-29	2018-11-29
HASH	e8381f037a8f70d8fc3ee11a7bec98d…	2018-11-29	2018-11-29
HASH	ac23017efc19804de64317cbc90efd6…	2018-11-29	2018-11-29
HASH	7d443434c302431734caf1d034c054a…	2018-11-29	2018-11-29
HASH	0490e7d24defc2f0a4239e76197f1cb…	2018-11-29	2018-11-29
HASH	d34aabf20ccd93df9d43838cea41a7e…	2018-11-29	2018-11-29
HASH	a943e196b83c4acd9c5ce13e4c43b4f4	2018-11-29	2018-11-29
HASH	da94a331424bc1074512f12d7d98dc5…	2018-11-29	2018-11-29
HASH	e527ade24beacb2ef940210ba9acb21…	2018-11-29	2018-11-29
HASH	70106ebdbf4411c32596dae3f1ff7bf…	2018-11-29	2018-11-29
HASH	cf31dac47680ff1375ddaa3720892ed…	2018-11-29	2018-11-29
HASH	2efdd25a8a8f21c661aab2d4110cd7f…	2018-11-29	2018-11-29
HASH	ba78f0a6ce53682942e97b5ad7ec76a…	2018-11-29	2018-11-29
HASH	dca9bd1c2d068fc9c84a754e4dcf703…	2018-11-29	2018-11-29
HASH	e218b19252f242a8f10990ddb749f34…	2018-11-29	2018-11-29
HASH	824f79a8ee7d8a23a0371fab83de44d…	2018-11-29	2018-11-29
HASH	3663e7b197efe91fb7879a56c29fb8e…	2018-11-29	2018-11-29
HASH	1142dcc02b9ef34dca2f28c22613a04…	2018-11-29	2018-11-29
HASH	f27d640283372eb805df794ae700c25…	2018-11-29	2018-11-29
HASH	aef92be267a05cbff83aec0f23d33df…	2018-11-29	2018-11-29
HASH	1c8351ff968f16ee904031f6fba8628…	2018-11-29	2018-11-29
HASH	2547b958f7725539e9bba2a1852a163…	2018-11-29	2018-11-29
HASH	a23f95b4a602bdaef1b58e97843e2f3…	2018-11-29	2018-11-29
EMAIL	[email protected]	2018-11-29	2018-11-29
URL	http://hanbosston.000webhostapp…	2018-11-29	2018-11-29
URL	http://s8877.1apps.com/vip/setu…	2018-11-29	2018-11-29
URL	https://7077.000webhostapp.com/…	2018-11-29	2018-11-29
URL	http://bluemountain.1apps.com/1…	2018-11-29	2018-11-29
URL	https://881.000webhostapp.com/0…	2018-11-29	2018-11-29
URL	https://881.000webhostapp.com/1…	2018-11-29	2018-11-29
URL	http://attach10132.1apps.com/1.…	2018-11-29	2018-11-29
URL	http://s8877.1apps.com/vip/setu…	2018-11-29	2018-11-29
URL	https://071790.000webhostapp.co…	2018-11-29	2018-11-29
URL	https://www.webmail-koryogroup.…	2018-11-29	2018-11-29
URL	https://vnik.000webhostapp.com/…	2018-11-29	2018-11-29
DOMAIN	bluemountain.1apps.com	2018-11-29	2018-11-29
DOMAIN	ftp.bytehost31.org	2018-11-29	2018-11-29
DOMAIN	ftp.byethost7.com	2018-11-29	2018-11-29
DOMAIN	ftp.byethost10.com	2018-11-29	2018-11-29
DOMAIN	7077.000webhostapp.com	2018-11-29	2018-11-29
DOMAIN	webhost.com	2018-11-29	2018-11-29
DOMAIN	files.000webhost.com	2018-09-28	2018-11-29