Carbon is a sophisticated second stage backdoor and modular framework that has been in use since at least 2014 by the Russian Speaking Turla group. Carbon continues to be deployed against government and foreign affairs related organizations in Central Asia and is expected to continue through 2019.
Operations by the Turla group in 2014 that involved Carbon delivery were part of a long term global campaign impacting hundreds of victims. First stages are typically backdoors such as Travdig, Epic, or Skipper. Only a small portion of these compromises were upgraded to the malware set known as “the Carbon framework”, and even fewer received the Snake rootkit for “extreme persistence”.
The Carbon system is an extensible attack framework, very similar to others such as the Equation Group's Tilded and Flame frameworks.
“SERVICE.EXE” - a dropper that installs the carbon components and configuration file
“SERVICE.DLL” or “KmSvc.DLL” - a loader that communicates with the Command and Control (C2)
“MSIMGHLP.DLL” - orchestrator that handles tasks, dispatches them to other computers on the network and injects the loader
“MSXIML.DLL” - the injected library
Seven process threads are created by the malware. Each thread has a specific role:
1. Fetch configuration
2. Periodically check Carbon storage folder
3. Execute Carbon tasks
4. Communicate via named pipe or TCP to dispatch tasks to other computers on the same network
5. Load and execute plugins
6. Inject the communication library into other processes on the local machine
7. Check if packet capture is running, and halt C2 communications if it is.
Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).