Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[1][2]

ID: S0335
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryCarbon runs the net group command to list accounts on the system.[3]
EnterpriseT1043Commonly Used PortCarbon uses port 80 for C2 communications.[1]
EnterpriseT1074Data StagedCarbon creates a base directory that contains the files and folders that are collected.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationCarbon decrypts task and configuration files for execution.[1]
EnterpriseT1048Exfiltration Over Alternative ProtocolCarbon uses HTTP to send data to the C2 server.[1]
EnterpriseT1050New ServiceCarbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[1]
EnterpriseT1027Obfuscated Files or InformationCarbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[1]
EnterpriseT1057Process DiscoveryCarbon can list the processes on the victim’s machine.[1]
EnterpriseT1055Process InjectionCarbon has a command to inject code into a process.[1]
EnterpriseT1012Query RegistryCarbon enumerates values in the Registry.[1]
EnterpriseT1018Remote System DiscoveryCarbon uses the net view command.[3]
EnterpriseT1053Scheduled TaskCarbon creates several tasks for later execution to continue persistence on the victim’s machine.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolCarbon uses TCP and UDP for C2.[1]
EnterpriseT1016System Network Configuration DiscoveryCarbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[1][3]
EnterpriseT1049System Network Connections DiscoveryCarbon uses the netstat -r and netstat -an commands.[3]
EnterpriseT1124System Time DiscoveryCarbon uses the command net time \\127.0.0.1 to get information the system’s time.[3]

Groups

Groups that use this software:

Turla

References