Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[1][2]

ID: S0335
Platforms: Windows
Version: 1.2
Created: 29 January 2019
Last Modified: 25 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Carbon can use HTTP in C2 communications.[3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Carbon creates a base directory that contains the files and folders that are collected.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Carbon decrypts task and configuration files for execution.[1][3]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Carbon has used RSA encryption for C2 communications.[3]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Carbon uses HTTP to send data to the C2 server.[1]

Enterprise T1095 Non-Application Layer Protocol

Carbon uses TCP and UDP for C2.[1]

Enterprise T1027 Obfuscated Files or Information

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[1][3]

Enterprise T1069 Permission Groups Discovery

Carbon uses the net group command.[4]

Enterprise T1057 Process Discovery

Carbon can list the processes on the victim’s machine.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Carbon has a command to inject code into a process.[1]

Enterprise T1012 Query Registry

Carbon enumerates values in the Registry.[1]

Enterprise T1018 Remote System Discovery

Carbon uses the net view command.[4]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Carbon creates several tasks for later execution to continue persistence on the victim’s machine.[1]

Enterprise T1016 System Network Configuration Discovery

Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[1][4]

Enterprise T1049 System Network Connections Discovery

Carbon uses the netstat -r and netstat -an commands.[4]

Enterprise T1124 System Time Discovery

Carbon uses the command net time \ to get information the system’s time.[4]

Enterprise T1102 Web Service

Carbon can use Pastebin to receive C2 commands.[3]

Groups That Use This Software

ID Name References
G0010 Turla