Carbon
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Carbon can use HTTP in C2 communications.(Citation: Accenture HyperStack October 2020) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.(Citation: ESET Carbon Mar 2017) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Carbon creates a base directory that contains the files and folders that are collected.(Citation: ESET Carbon Mar 2017) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Carbon has used RSA encryption for C2 communications.(Citation: Accenture HyperStack October 2020) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Carbon uses HTTP to send data to the C2 server.(Citation: ESET Carbon Mar 2017) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Carbon has a command to inject code into a process.(Citation: ESET Carbon Mar 2017) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Carbon creates several tasks for later execution to continue persistence on the victim’s machine.(Citation: ESET Carbon Mar 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0010 | Turla |
(Citation: ESET Carbon Mar 2017) (Citation: Secureworks IRON HUNTER Profile) |
References
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 04). Shedding Skin – Turla’s Fresh Faces. Retrieved November 7, 2018.
- Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
- GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
- Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.