Register to stream ATT&CKcon 2.0 October 29-30


Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[1][2]

ID: S0335
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Carbon runs the net group command to list accounts on the system. [3]
Enterprise T1043 Commonly Used Port Carbon uses port 80 for C2 communications. [1]
Enterprise T1074 Data Staged Carbon creates a base directory that contains the files and folders that are collected. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information Carbon decrypts task and configuration files for execution. [1]
Enterprise T1048 Exfiltration Over Alternative Protocol Carbon uses HTTP to send data to the C2 server. [1]
Enterprise T1050 New Service Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine. [1]
Enterprise T1027 Obfuscated Files or Information Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm. [1]
Enterprise T1057 Process Discovery Carbon can list the processes on the victim’s machine. [1]
Enterprise T1055 Process Injection Carbon has a command to inject code into a process. [1]
Enterprise T1012 Query Registry Carbon enumerates values in the Registry. [1]
Enterprise T1018 Remote System Discovery Carbon uses the net view command. [3]
Enterprise T1053 Scheduled Task Carbon creates several tasks for later execution to continue persistence on the victim’s machine. [1]
Enterprise T1095 Standard Non-Application Layer Protocol Carbon uses TCP and UDP for C2. [1]
Enterprise T1016 System Network Configuration Discovery Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s. [1] [3]
Enterprise T1049 System Network Connections Discovery Carbon uses the netstat -r and netstat -an commands. [3]
Enterprise T1124 System Time Discovery Carbon uses the command net time \ to get information the system’s time. [3]

Groups That Use This Software

ID Name References
G0010 Turla [1]