‘Carbon’ copies: ESET continues to find new variants of backdoor used by Turla Group

Carbon, a second-stage backdoor used in campaigns launched by Russia's Turla APT group, continues to be actively updated on a regular basis, according to ESET, whose researchers recently observed new variations in the malware's components, file names and mutexes.

In a blog post Thursday, ESET analyzed the sophisticated data-stealing malware, which is typically downloaded on infected machines only after Turla actors perform reconnaissance using a first-stage backdoor program such as Tavdig and Skipper to determine if the target is interesting enough to further compromise.

ESET noted that Carbon is very similar to Uroburos, a rootkit also used by Turla – although unlike Uroburos it lacks exploits and kernel components. The malware consists of a dropper, a command-and-control communication component, a main "orchestrator" component, and a loader that executes the orchestrator. In its blog post, ESET explained that the orchestrator is primarily used to inject the DLL code for C&C communication into a legitimate process and also to" dispatch the tasks received from the injected library to other computers on the same network..."

By analyzing compilation dates and internal version numbers that were hardcoded in the malware, ESET has identified eight different compilation dates for Carbon from February 2014 to October 2016. Some of these recompiled versions included upgraded orchestrators or updated injected libraries. Various versions of orchestrators contain different file names and create different mutexes, ESET continued.