Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Carbon

Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[1][2]

ID: S0335
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 28 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Carbon runs the net group command to list accounts on the system.[3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Carbon creates a base directory that contains the files and folders that are collected.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Carbon decrypts task and configuration files for execution.[1]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Carbon uses HTTP to send data to the C2 server.[1]
Enterprise T1095 Non-Application Layer Protocol

Carbon uses TCP and UDP for C2.[1]
Enterprise T1027 Obfuscated Files or Information

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[1]
Enterprise T1057 Process Discovery

Carbon can list the processes on the victim’s machine.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Carbon has a command to inject code into a process.[1]
Enterprise T1012 Query Registry

Carbon enumerates values in the Registry.[1]
Enterprise T1018 Remote System Discovery

Carbon uses the net view command.[3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Carbon creates several tasks for later execution to continue persistence on the victim’s machine.[1]
Enterprise T1016 System Network Configuration Discovery

Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[1][3]
Enterprise T1049 System Network Connections Discovery

Carbon uses the netstat -r and netstat -an commands.[3]
Enterprise T1124 System Time Discovery

Carbon uses the command net time \127.0.0.1 to get information the system’s time.[3]

Groups That Use This Software

ID Name References
G0010 Turla

[1]

References

  1. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  2. Kaspersky Lab's Global Research & Analysis Team. (2018, October 04). Shedding Skin – Turla’s Fresh Faces. Retrieved November 7, 2018.
  1. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.