Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[1][2]

ID: S0335
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Carbon runs the net group command to list accounts on the system.[3]

Enterprise T1043 Commonly Used Port

Carbon uses port 80 for C2 communications.[1]

Enterprise T1074 Data Staged

Carbon creates a base directory that contains the files and folders that are collected.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Carbon decrypts task and configuration files for execution.[1]

Enterprise T1048 Exfiltration Over Alternative Protocol

Carbon uses HTTP to send data to the C2 server.[1]

Enterprise T1050 New Service

Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[1]

Enterprise T1027 Obfuscated Files or Information

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[1]

Enterprise T1057 Process Discovery

Carbon can list the processes on the victim’s machine.[1]

Enterprise T1055 Process Injection

Carbon has a command to inject code into a process.[1]

Enterprise T1012 Query Registry

Carbon enumerates values in the Registry.[1]

Enterprise T1018 Remote System Discovery

Carbon uses the net view command.[3]

Enterprise T1053 Scheduled Task

Carbon creates several tasks for later execution to continue persistence on the victim’s machine.[1]

Enterprise T1095 Standard Non-Application Layer Protocol

Carbon uses TCP and UDP for C2.[1]

Enterprise T1016 System Network Configuration Discovery

Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[1][3]

Enterprise T1049 System Network Connections Discovery

Carbon uses the netstat -r and netstat -an commands.[3]

Enterprise T1124 System Time Discovery

Carbon uses the command net time \127.0.0.1 to get information the system’s time.[3]

Groups That Use This Software

ID Name References
G0010 Turla [1]

References