Recent News - Carbon, Turla’s Latest Version of Malware Under Microscope


Over the past decade, the cyberattackers behind Turla have shown quite a broad arsenal of tools – all of them focused on acquiring data from selected high profile institutions in Europe and USA. Today, ESET researchers released their discoveries in an in-depth analysis of the innovations found in the latest versions of Turla’s second stage backdoor, dubbed Carbon.

Known to change their tools once exposed, Turla group keeps its malware in constant development, changing mutexes and file names between each version. This is valid for Carbon as well – in the three years since its development, ESET researchers have been able to confirm eight active versions thus far. Notorious for its painstaking efforts and its work in stages, Turla group first performs reconnaissance on their victim’s systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spear phishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack. After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the victim’s machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

The architecture of Carbon consists of a dropper that installs the Carbon components and its configuration file, a component that communicates with Command and Control servers (C&C), and an orchestrator that handles tasks, dispatches them to other computers on the network and injects them into a legitimate process -the DLL- that communicates with the C&C and a loader that executes the orchestrator.

“Carbon shares some similarities with  other Turla’s tool – rootkit Uroburos. The most relevant resemblance being the communication framework. The communication objects are implemented in the same way, the structures and virtual tables look identical except that there are fewer communication channels in Carbon,” explains the paper. “Carbon might be the “lite” version of Uroburos without kernel components and exploits.”

To read the technical analysis of Carbon, please visit ESET’s news site


About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit or follow us on Facebook.


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

For more information, please visit or call (65) 6296-4268.

Previous News Next News

Return to the previous page