14 DAY TRIAL // Russian espionage group Turla has been working on various tools for years, including several new versions of Carbon, a second stage backdoor malware.
The discovery was made by researchers from ESET, who claim this malware is still under active development. Since the group is well known for changing its tools once they are exposed, it's not that big of a surprise that they're pushing version after version, changing mutexes and file names between two major versions.
It seems that the Turla group usually works in multiple stages, first doing reconnaissance on their victim's systems before deploying their sophisticated tools, including Carbon.
Researchers claim that a "classic" Carbon compromise chain starts with a user receiving a spearphishing email or visiting a compromised website, typically one that the user visits regularly. Once this attack is successful, a first stage backdoor malware is installed on the user machine, such as Tavdig or Skipper. Once the recon phase is done, Carbon is installed on key systems.
What does it do?
In short, Carbon is a sophisticated backdoor used by Turla to steal sensitive information from targets of interest. Carbon's framework consists of a dropper that installs the components and configuration file, a component that communicates with the C&C, an orchestrator to handle the tasks, dispatch them to other computers, and inject into a legitimate process the DLL that communicates with the C&C, as well as a loader to execute the orchestrator.
"Carbon shares some similarities with other Turla’s tool - rootkit Uroburos. The most relevant resemblance being the communication framework. The communication objects are implemented in the same way, the structures and virtual tables look identical except that there are fewer communication channels in Carbon. Carbon might be the 'lite' version of Uroburos without kernel components and exploits," ESET researchers note about this malware family.