S0335 Carbon
Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.12
| Item | Value |
|---|---|
| ID | S0335 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 29 January 2019 |
| Last Modified | 25 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Carbon can use HTTP in C2 communications.3 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Carbon creates a base directory that contains the files and folders that are collected.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Carbon decrypts task and configuration files for execution.13 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Carbon has used RSA encryption for C2 communications.3 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Carbon uses HTTP to send data to the C2 server.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Carbon uses TCP and UDP for C2.1 |
| enterprise | T1027 | Obfuscated Files or Information | Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.13 |
| enterprise | T1069 | Permission Groups Discovery | Carbon uses the net group command.4 |
| enterprise | T1057 | Process Discovery | Carbon can list the processes on the victim’s machine.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Carbon has a command to inject code into a process.1 |
| enterprise | T1012 | Query Registry | Carbon enumerates values in the Registry.1 |
| enterprise | T1018 | Remote System Discovery | Carbon uses the net view command.4 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Carbon creates several tasks for later execution to continue persistence on the victim’s machine.1 |
| enterprise | T1016 | System Network Configuration Discovery | Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.14 |
| enterprise | T1049 | System Network Connections Discovery | Carbon uses the netstat -r and netstat -an commands.4 |
| enterprise | T1124 | System Time Discovery | Carbon uses the command net time \127.0.0.1 to get information the system’s time.4 |
| enterprise | T1102 | Web Service | Carbon can use Pastebin to receive C2 commands.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 15 |
References
-
ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, October 04). Shedding Skin – Turla’s Fresh Faces. Retrieved November 7, 2018. ↩
-
Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. ↩↩↩↩↩
-
GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018. ↩↩↩↩↩
-
Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022. ↩