Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Turla Group Improves Carbon Backdoor

The Russia-linked threat group known as Turla has continued to make improvements to its Carbon second-stage backdoor, with new versions released on a regular basis, ESET reported on Thursday.

The Russia-linked threat group known as Turla has continued to make improvements to its Carbon second-stage backdoor, with new versions released on a regular basis, ESET reported on Thursday.

Turla has been active since at least 2007 and is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig).

Carbon, also known as Pfinet, is another tool used by the group and ESET has described it as a lite version of Uroburos. Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, which involves malware such as Tavdig. Carbon was also used in the attack aimed at RUAG.

According to ESET, Carbon has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator. These components are mostly DLL files, except for the loader, which is an EXE file.

The security firm has identified several versions of Carbon compiled last year; the most recent has a compilation date of October 21, 2016.

ESET pointed out that Turla has been making changes to its tools once they are exposed. In the case of Carbon, file names and mutexes have been modified in version 3.8, released in the summer of 2016, compared to version 3.7, which had been used since 2014.

The main component of the Carbon framework is the orchestrator, which is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other computers on the network. Before C&C communications are initiated, the malware checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.

In addition to changed file names and mutexes, ESET said the newer versions of Carbon use more encryption, including for files and the names of modules, functions and processes.

In February, Kaspersky Lab revealed that the Turla group had started using a new piece of JavaScript malware to profile victims.

Related: Turla-Linked Group Targets Embassies, Ministries

Related: False Flags and Mis-Direction in Hacker Attribution

Related: State-Sponsored Attackers Use Web Analytics for Reconnaissance

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.