Carbon Backdoor
The Carbon Backdoor is a custom-made Remote Access Trojan (RAT). This threat is part of the arsenal of an Advanced Persistent Threat group called Turla. During their over a decade of threatening activity, the group has been assigned numerous aliases by the infosec community. Some of them are - Ouroboros, Snake, Venomous Bear and Waterbug. Certain aspects of the group's activities suggest that the hackers might have some connections to Russia. Turla has carried out quite a few attack campaigns against government targets, military entities and diplomatic institutions. According to the researchers at Accenture Cyber Threat Intelligence, between June and October 2020, Turla conducted an attack against a European government. The malware toolkit used in the campaign consisted of legacy malware, as well as several threats that had upgraded with new capabilities. One of them is the second-stage backdoor Carbon.
Carbon Follows The New CyberCriminal Trends
Despite their prolonged period of activity, Turla shows signs that it is keeping its toolset relevant by integrating new techniques and functionalities into their legacy malware. In the Carbon Backdoor case, this sophisticated RAT consists of a modular framework capable of peer-to-peer communication through named pipes or TCP. The four modules have consistent internal names and each is tasked with a different function:
- SERVICE.EXE – A dropper that installs the other carbon modules and the configuration file
- SERVICE.DLL or KmSvc.DLL – A loader with the sole purpose of executing the main component
- MSXIML.DLL – A module carrying out the communication with the Command-and-Control (C2, C&C) infrastructure
- MSIMGHLP.DLL - The main component of Carbon responsible for controlling the threat's tasks, relegating them to other compromised systems on the network, and ensuring the C&C communication by injecting the communication DLL into a legitimate process.
The new functionality added to the Carbon RAT is its ability to acquire tasks from a project hosted on Pastebin, a legitimate Web hosting service. The threat use of legitimate services as part of the Command-and-Control infrastructure for malware threats has been growing in popularity among cybercriminal groups. This method provides threatening actors with several distinct advantages - the abnormal traffic generated by the malware threats can be blended with the organization's normal network traffic more naturally. In addition, it provides hackers with increased flexibility when it comes to altering their C2 structure.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.