1. Home
  2. Software
  3. Carbon

Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[1][2]

ID: S0335
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 29 January 2019
Last Modified: 25 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Carbon has used RSA encryption for C2 communications.[3]
Enterprise T1140 反混淆/解码文件或信息

Carbon decrypts task and configuration files for execution.[1][3]
Enterprise T1071 .001 应用层协议: Web Protocols

Carbon can use HTTP in C2 communications.[3]
Enterprise T1074 .001 数据分段: Local Data Staging

Carbon creates a base directory that contains the files and folders that are collected.[1]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

Carbon uses HTTP to send data to the C2 server.[1]
Enterprise T1069 权限组发现

Carbon uses the net group command.[4]
Enterprise T1012 查询注册表

Carbon enumerates values in the Registry.[1]
Enterprise T1027 混淆文件或信息

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[1][3]
Enterprise T1124 系统时间发现

Carbon uses the command net time \127.0.0.1 to get information the system’s time.[4]
Enterprise T1049 系统网络连接发现

Carbon uses the netstat -r and netstat -an commands.[4]
Enterprise T1016 系统网络配置发现

Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[1][4]
Enterprise T1102 网络服务

Carbon can use Pastebin to receive C2 commands.[3]
Enterprise T1057 进程发现

Carbon can list the processes on the victim’s machine.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Carbon has a command to inject code into a process.[1]
Enterprise T1018 远程系统发现

Carbon uses the net view command.[4]
Enterprise T1095 非应用层协议

Carbon uses TCP and UDP for C2.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Carbon creates several tasks for later execution to continue persistence on the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[1][5]

References

  1. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  2. Kaspersky Lab's Global Research & Analysis Team. (2018, October 04). Shedding Skin – Turla’s Fresh Faces. Retrieved November 7, 2018.
  3. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  1. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
  2. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.