Russian espionage group Turla has been working on various tools for years, including several new versions of Carbon, a second stage backdoor malware.
The discovery was made by researchers from ESET who claim that this malware is still under active development. Since the group is well known for changing its tools once they are exposed, it’s not that big of a surprise that they’re pushing version after version, changing mutexes and file names between two major versions.
It seems that the Turla group usually works in multiple stages, first doing reconnaissance on their victim’s systems before deploying their sophisticated tools, including Carbon.
Researchers claim that a “classic” Carbon compromise chain starts with a user receiving a spearphishing email or visiting a compromised website, typically one that the user visits regularly. One this attack is successful, a first stage backdoor malware is installed on the user machine, such as Tavdig or Skipper. Once the recon phase is done, Carbon is installed on key systems.
What does it do?
In short, Carbon is a sophisticated backdoor used by Turla to steal sensitive information from targets of interest. Carbon’s framework consists of a dropper that installs the components and configuration file, a component that communicates with the C&C, an orchestrator to handle the tasks, dispatch them to other computers and inject into a legitimate process the DLL that communicates with the C&C, as well as a loader to execute the orchestrator.