Security Experts:

Turla Group Improves Carbon Backdoor

The Russia-linked threat group known as Turla has continued to make improvements to its Carbon second-stage backdoor, with new versions released on a regular basis, ESET reported on Thursday.

Turla has been active since at least 2007 and is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig).

Carbon, also known as Pfinet, is another tool used by the group and ESET has described it as a lite version of Uroburos. Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, which involves malware such as Tavdig. Carbon was also used in the attack aimed at RUAG.

According to ESET, Carbon has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator. These components are mostly DLL files, except for the loader, which is an EXE file.

The security firm has identified several versions of Carbon compiled last year; the most recent has a compilation date of October 21, 2016.

ESET pointed out that Turla has been making changes to its tools once they are exposed. In the case of Carbon, file names and mutexes have been modified in version 3.8, released in the summer of 2016, compared to version 3.7, which had been used since 2014.

The main component of the Carbon framework is the orchestrator, which is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other computers on the network. Before C&C communications are initiated, the malware checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.

In addition to changed file names and mutexes, ESET said the newer versions of Carbon use more encryption, including for files and the names of modules, functions and processes.

In February, Kaspersky Lab revealed that the Turla group had started using a new piece of JavaScript malware to profile victims.

Related: Turla-Linked Group Targets Embassies, Ministries

Related: False Flags and Mis-Direction in Hacker Attribution

Related: State-Sponsored Attackers Use Web Analytics for Reconnaissance

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.