Open Hunting - Threat Library

Openhunting Threat Library

Cobra Carbon System

Cobra Carbon System, Carbon, Pfinet

(Type: Backdoor, Info stealer)

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.

[News Analysis] Trends:

Total Trend: 14

Trend Per Year

2014

2015

2016

2017

2018

2019

2020

2023

Trend Per Month

2014

Aug 2014

Jan 2015

Jan 2016

May 2016

Mar 2017

Oct 2018

Apr 2019

2020

Mar 2020

Jul 2020

Sep 2020

Oct 2020

May 2023

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

2/113

privilege escalation

3/96

defense evasion

3/184

credential access

0/63

discovery

7/44

lateral movement

0/22

collection

1/37

command and control

4/39

exfiltration

1/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.005 Scheduled Task/job : Scheduled Task	T1543.003 Create Or Modify System Process : Windows Service T1053.005 Scheduled Task/job : Scheduled Task	T1543.003 Create Or Modify System Process : Windows Service T1055.001 Process Injection : Dynamic-link Library Injection T1053.005 Scheduled Task/job : Scheduled Task	T1140 Deobfuscate/decode Files Or Information T1027 Obfuscated Files Or Information T1055.001 Process Injection : Dynamic-link Library Injection		T1069 Permission Groups Discovery T1057 Process Discovery T1012 Query Registry T1018 Remote System Discovery T1016 System Network Configuration Discovery T1049 System Network Connections Discovery T1124 System Time Discovery		T1074.001 Data Staged : Local Data Staging	T1071.001 Application Layer Protocol : Web Protocols T1573.002 Encrypted Channel : Asymmetric Cryptography T1095 Non-application Layer Protocol T1102 Web Service	T1048.003 Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-c2 Protocol

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Hunting Russian Intelligence “Snake” Malware

2023-05-09 by CISA from CISA

Turla uses HyperStack, Carbon, and Kazuar to compromise government entity

2020-10-28 by Cyber Defense from Accenture

Turla Carbon System

2020-09-25 by Marc from Github (sisoma2)

vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)

2020-07-21 by Mohamad Mokbel from YouTube ( OPCDE with Matt Suiche)

2020 CrowdStrike Global Threat Report

2020-03-04 by CrowdStrike from CrowdStrike

IRON HUNTER

2020 by SecureWorks from Secureworks

TDL (Turla Driver Loader) Repository

2019-04-19 by hfiref0x from Github (hfiref0x)

Shedding Skin – Turla’s Fresh Faces

2018-10-04 by GReAT from Kaspersky Labs

Carbon Paper: Peering into Turla’s second stage backdoor

2017-03-30 by ESET Research from ESET Research

APT Case RUAG - Technical Report

2016-05-23 by GovCERT.ch from MELANI GovCERT

The Waterbug attack group

2016-01-14 by Security Response from Symantec

Analysis of Project Cobra

2015-01-20 by G Data from G Data

The Epic Turla Operation

2014-08-07 by GReAT from Kaspersky Labs

TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos

2014 by CIRCL from circl.lu

Basic Information (Credit @etda.or.th)

Tool: Cobra Carbon System

Names: Cobra Carbon System, Carbon, Pfinet

Description: Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.

Category: Malware

Type: Backdoor, Info stealer

Information: https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra

Information: https://github.com/hfiref0x/TDL

Information: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

Information: https://securelist.com/analysis/publications/65545/the-epic-turla-operation/

Mitre-attack: https://attack.mitre.org/software/S0335/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK carbon creates several tasks for later execution to continue persistence on the victim’s machine.	T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK carbon creates several tasks for later execution to continue persistence on the victim’s machine.	T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION carbon has a command to inject code into a process. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK carbon creates several tasks for later execution to continue persistence on the victim’s machine.	T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION carbon decrypts task and configuration files for execution. T1027 OBFUSCATED FILES OR INFORMATION carbon encrypts configuration files and tasks for the malware to complete using cast-128 algorithm. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION carbon has a command to inject code into a process.		T1069 PERMISSION GROUPS DISCOVERY carbon uses the net group command. T1057 PROCESS DISCOVERY carbon can list the processes on the victim’s machine. T1012 QUERY REGISTRY carbon enumerates values in the registry. T1018 REMOTE SYSTEM DISCOVERY carbon uses the net view command. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY carbon can collect the ip address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY carbon uses the netstat -r and netstat -an commands. T1124 SYSTEM TIME DISCOVERY carbon uses the command net time \127.0.0.1 to get information the system’s time.		T1074.001 DATA STAGED : LOCAL DATA STAGING carbon creates a base directory that contains the files and folders that are collected.	T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS carbon can use http in c2 communications. T1573.002 ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY carbon has used rsa encryption for c2 communications. T1095 NON-APPLICATION LAYER PROTOCOL carbon uses tcp and udp for c2. T1102 WEB SERVICE carbon can use pastebin to receive c2 commands.	T1048.003 EXFILTRATION OVER ALTERNATIVE PROTOCOL : EXFILTRATION OVER UNENCRYPTED NON-C2 PROTOCOL carbon uses http to send data to the c2 server.