Malware Dropper Supports a Dozen Decoy Document Formats

A recently discovered malware dropper has the ability to use nearly a dozen decoy document file formats to drop various payloads, Palo Alto Networks security researchers warn. Dubbed CARROTBAT, the customized dropper is being used to deliver lures primarily pertaining to the Korean region, revolving around subjects such as crypto-currencies, crypto-currency exchanges, and political events. A December 2017 attack against a British government agency, which employed the SYSCON remote access Trojan (RAT), allowed the security researchers to discover the CARROTBAT dropper due to infrastructure overlaps. To date, Palo Alto Networks identified 29 unique CARROTBAT samples, containing a total of 12 confirmed unique decoy documents. The dropper first emerged in March 2018, but most of its activity was observed over the past three months. The threat was observed delivering a variety of payloads, such as SYSCON in older variants, and the OceanSalt malware family in newer samples.