Carbon Paper: Peering into Turla’s second stage backdoor | WeLiveSecurity
Tags
cmtmf-attack-pattern: Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Credentials - T1589.001 Exploits - T1587.004 Exploits - T1588.005 Ip Addresses - T1590.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Process Injection - T1055 Rootkit - T1014 Rootkit
Show in Graph
Common Information
Type Value
UUID 6ec81c96-3ff1-46d4-b927-209051a87460
Fingerprint 3612dc312d338491
Analysis status DONE
Considered CTI value 2
Text language
Published March 30, 2017, 2 p.m.
Added to db Feb. 17, 2023, 10:05 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Carbon Paper: Peering into Turla’s second stage backdoor
Title Carbon Paper: Peering into Turla’s second stage backdoor | WeLiveSecurity
Detected Hints/Tags/Attributes 90/3/100
Source URLs
Redirection Url
Details Source https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
URL Provider
Details Provider Source level domain
Details welivesecurity.com www.welivesecurity.com
Attributes
Details Type #Events CTI Value
Details Domain 11 
govcert.ch
Details Domain 1 
asmcerts.rs
Details Domain 1 
getcerts.rs
Details Domain 1 
a67ncodc.ax
Details Domain 1 
b9s3coff.ax
Details Domain 1 
b9s3coss.ax
Details Domain 1 
exchange.properties
Details Domain 2 
doctorshand.org
Details Domain 2 
www.lasac.eu
Details Domain 2 
www.shoppingexpert.it
Details Domain 1 
a67ncode.ax
Details Domain 1 
encodebase.info
Details Domain 454 
www.google.com
Details Domain 46 
www.yahoo.com
Details Domain 88 
www.bing.com
Details Domain 21 
update.microsoft.com
Details Domain 18 
windowsupdate.microsoft.com
Details Domain 369 
microsoft.com
Details Domain 4127 
github.com
Details Domain 1 
cast.new
Details Domain 3 
soheylistore.ir
Details Domain 3 
tazohor.com
Details Domain 3 
jucheafrica.com
Details Domain 3 
61paris.fr
Details File 86 
service.exe
Details File 10 
service.dll
Details File 2 
kmsvc.dll
Details File 3 
msimghlp.dll
Details File 2 
msximl.dll
Details File 1 
miniport.dat
Details File 1 
qavscr.dat
Details File 1 
vndkrmn.dic
Details File 2 
ximarsh.dll
Details File 1 
cifrado.xml
Details File 1 
encodebase.inf
Details File 1 
dsntype.gif
Details File 1 
asmlang.jpg
Details File 1 
fsbootfail.dat
Details File 1 
mkfieldsec.dll
Details File 1 
preinsta.jpg
Details File 1 
wkstrend.xml
Details File 1 
xmlrts.png
Details File 1 
zcerterror.png
Details File 263 
iexplore.exe
Details File 173 
outlook.exe
Details File 15 
msimn.exe
Details File 199 
firefox.exe
Details File 73 
opera.exe
Details File 271 
chrome.exe
Details File 7 
netscape.exe
Details File 8 
mozilla.exe
Details File 4 
adobeupdater.exe
Details File 1260 
explorer.exe
Details File 2 
ieuser.exe
Details File 748 
kernel32.dll
Details File 2126 
cmd.exe
Details File 73 
view.php
Details File 85 
www.bin
Details File 22 
tcpdump.exe
Details File 22 
windump.exe
Details File 17 
ethereal.exe
Details File 71 
wireshark.exe
Details File 15 
ettercap.exe
Details File 5 
snoop.exe
Details File 8 
dsniff.exe
Details File 6 
argparse.raw
Details File 13 
feed.php
Details File 2 
feed-rss-comments.php
Details File 2 
class-wp-edit.php
Details File 2 
ms-set.php
Details Github username 26 
eset
Details sha1 1 
7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b
Details sha1 1 
a08b8371ead1919500a4759c2f46553620d5a9d9
Details sha1 1 
4636dccac5acf1d95a474747bb7bcd9b1a506cc3
Details sha1 1 
cbde204e7641830017bb84b89223131b2126bc46
Details sha1 1 
1ad46547e3dc264f940bf62df455b26e65b0101f
Details sha1 2 
a28164de29e51f154be12d163ce5818fceb69233
Details sha1 1 
7c43f5df784bf50423620d8f1c96e43d8d9a9b28
Details sha1 1 
7ce746bb988cb3b7e64f08174bdb02938555ea53
Details sha1 1 
20393222d4eb1ba72a6536f7e67e139aadfa47fe
Details sha1 1 
1dbfcb9005abb2c83ffa6a3127257a009612798c
Details sha1 1 
2f7e335e092e04f3f4734b60c5345003d10aa15d
Details sha1 1 
311f399c299741e80db8bec65bbf4b56109eedaf
Details sha1 1 
fbc43636e3c9378162f3b9712cb6d87bd48ddbd3
Details sha1 1 
554f59c1578f4ee77dbba6a23507401359a59f23
Details sha1 1 
2227fd6fc9d669a9b66c59593533750477669557
Details sha1 1 
87d718f2d6e46c53490c6a22de399c13f05336f0
Details sha1 1 
1b233af41106d7915f6fa6fd1448b7f070b47eb3
Details sha1 1 
851e538357598ed96f0123b47694e25c2d52552b
Details sha1 1 
744b43d8c0fe8b217acf0494ad992df6d5191ed9
Details sha1 1 
bcf52240cc7940185ce424224d39564257610340
Details sha1 1 
777e2695ae408e1578a16991373144333732c3f6
Details sha1 1 
56b5627debb93790fdbcc9ecbffc3260adeafbab
Details sha1 1 
678d486e21b001deb58353ca0255e3e5678f9614
Details Url 1 
https://github.com/eset/malware-ioc/tree/master/turla
Details Windows Registry Key 16 
HKLM\Software\Microsoft\Internet
Details Windows Registry Key 2 
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Details Yara rule 1 
import "pe"
import "hash"

rule generic_carbon {
	strings:
		$s1 = "ModStart"
		$s2 = "STOP|OK"
		$s3 = "STOP|KILL"
	condition:
		(uint16(0) == 0x5a4d) and all of them
}
Details Yara rule 1 
import "pe"

rule carbon_metadata {
	condition:
		(pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" and not (tags contains "signed")
}
Details Yara rule 1 
rule carbon_2016_filenames {
	condition:
		file_name contains "wkstrend.xml" or file_name contains "cifrado.xml" or file_name contains "fsbootfail.dat" or file_name contains "encodebase.inf" or file_name contains "zcerterror.png" or file_name contains "mkfieldsec.dll"
}