Over the past decade, the cyberattackers behind Turla have shown quite a broad arsenal of tools – all of them focused on acquiring data from selected high profile institutions in Europe and USA. Today, ESET researchers released their discoveries in an in-depth analysis of the innovations found in the latest versions of Turla’s second stage backdoor, dubbed Carbon.

Known to change their tools once exposed, Turla group keeps its malware in constant development, changing mutexes and file names between each version. This is valid for Carbon as well – in the three years since its development, ESET researchers have been able to confirm eight active versions thus far. Notorious for its painstaking efforts and its work in stages, Turla group first performs reconnaissance on their victim’s systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spear phishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack. After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the victim’s machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

The architecture of Carbon consists of a dropper that installs the Carbon components and its configuration file, a component that communicates with Command and Control servers (C&C), and an orchestrator that handles tasks, dispatches them to other computers on the network and injects them into a legitimate process -the DLL- that communicates with the C&C and a loader that executes the orchestrator.

“Carbon shares some similarities with  other Turla’s tool – rootkit Uroburos. The most relevant resemblance being the communication framework. The communication objects are implemented in the same way, the structures and virtual tables look identical except that there are fewer communication channels in Carbon,” explains the paper. “Carbon might be the “lite” version of Uroburos without kernel components and exploits.”

To read the technical analysis of Carbon, please visit ESET’s news site WeLiveSecurity.com.