Skip to content

S0335 Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.12

Item Value
ID S0335
Associated Names
Version 1.2
Created 29 January 2019
Last Modified 25 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Carbon can use HTTP in C2 communications.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Carbon creates a base directory that contains the files and folders that are collected.1
enterprise T1140 Deobfuscate/Decode Files or Information Carbon decrypts task and configuration files for execution.13
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Carbon has used RSA encryption for C2 communications.3
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Carbon uses HTTP to send data to the C2 server.1
enterprise T1095 Non-Application Layer Protocol Carbon uses TCP and UDP for C2.1
enterprise T1027 Obfuscated Files or Information Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.13
enterprise T1069 Permission Groups Discovery Carbon uses the net group command.4
enterprise T1057 Process Discovery Carbon can list the processes on the victim’s machine.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Carbon has a command to inject code into a process.1
enterprise T1012 Query Registry Carbon enumerates values in the Registry.1
enterprise T1018 Remote System Discovery Carbon uses the net view command.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Carbon creates several tasks for later execution to continue persistence on the victim’s machine.1
enterprise T1016 System Network Configuration Discovery Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.14
enterprise T1049 System Network Connections Discovery Carbon uses the netstat -r and netstat -an commands.4
enterprise T1124 System Time Discovery Carbon uses the command net time \ to get information the system’s time.4
enterprise T1102 Web Service Carbon can use Pastebin to receive C2 commands.3

Groups That Use This Software

ID Name References
G0010 Turla 15