{ "id": "592ea920-79bf-4710-a8e6-b15558e8eb51", "created_at": "2026-04-06T00:12:43.483043Z", "updated_at": "2026-04-10T13:12:37.43385Z", "deleted_at": null, "sha1_hash": "e2138ae6cbbedd971467d19c6ab004226ca3723d", "title": "Carbon Paper: Peering into Turla’s second stage backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126638, "plain_text": "Carbon Paper: Peering into Turla’s second stage backdoor\r\nBy ESET Research\r\nArchived: 2026-04-05 16:40:28 UTC\r\nThe following analysis is based on the version 4.x of msximl. This component may have changed in the latest\r\nversions.\r\nConfiguration fetching\r\nBesides the code in the \"Configuration fetching\" thread from the orchestrator (which is similar), a field \"sethttp1\"\r\nis retrieved from the [TRANSPORT] section.\r\nIf this value is set, HTTP 1.1 will be used for future connections.\r\nTasks execution\r\nThe tasks are retrieved from the C\u0026C server.\r\nThe tasks to be executed by the communication library are listed in the file \"b9s3coff.ax\" (for Carbon v3.7x) or\r\n\"cifrado.xml\" (for Carbon v3.8x).\r\nEach line of this file is composed in the following way:\r\ntask_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath\r\nThe task file and its config are decrypted (CAST-128) and the task executed. There are some options that are\r\nretrieved from the Carbon configuration file: \"time2task\" is used to set a timeout for the task execution (1 hour by\r\ndefault) while \"task_min\" and \"task_max\" are used as to wait a random time between the execution of the tasks on\r\nthe task list (the random time will be set between \"task_min\" and \"task_max\"). These parameters come from the\r\nsection [TIME].\r\nIf the task is a valid DLL file, it is loaded in the current process memory and a new thread is created to execute its\r\n\"start\" export. Otherwise, this is probably a command to execute. In this case, the configuration file is parsed. Like\r\nthe Carbon configuration file, the task configuration file is formed as a windows \"inf\" file and should contain a\r\nsection [CONFIG] with the following parameters:\r\n[CONFIG]\r\nNAME (\"cmd.exe\" by default)\r\nARG\r\nRESULT (\"stdout\" by default)\r\nCOMPRESSION (\"yes\" by default)\r\nDELETE (\"no\" by default)\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 1 of 8\n\nThe command with its arguments is executed through CreateProcess() function and the results are stored in the\r\n%task_result_filepath% file if the RESULT option is not set to \"stdout\", while error or additional info are added to\r\nthe task logfile.\r\nIf the option RESULT is set to stdout:\r\nthe result task file is deleted and the task execution output is written to the log task file\r\nthe line \"task_id | \"1\" | task_log_filepath | object_id\" is added at the end of the file \"C_56743.NLS\"\r\n(Carbon 3.7x) or \"dsntype.gif\" (Carbon 3.8x)\r\nOtherwise:\r\nthe task execution is outputted to the task result file and the errors / additional info to the task logfile\r\nthe line \"task_id | \"2\" | task_log_filepath | task_result_filepath | object_id\" is added at the end of the file\r\n\"C_56743.NLS\" (Carbon 3.7x) or \"dsntype.gif\" (Carbon 3.8x)\r\nIn both cases, the same line as written into \"C_56743.NLS\" is also written into the field \"run_task\" from the\r\nCarbon configuration file. It might be intended as a way for the malware authors to know which is the last task\r\nexecuted when the configuration file is sent to the C\u0026C server (check \"Configuration file backup\").\r\nLog rotation\r\nThe logfile is backed up and sent to the C\u0026C server periodically (by default this is done every two hours).\r\nLike the backup of the configuration file, this action is performed only during specific times of the day.\r\nIndeed, the log rotation will be performed only when the current local time is in the range of what is defined in the\r\nconfiguration file.\r\nThe fields \"wh_min\" and \"wh_max\" are retrieved from the [TIME] section of the configuration file (by default: 8\r\nand 20). The thread will execute the code only if the current hour of the day is between %wh_min% and\r\n%wh_max%.\r\nIf there is a value for the attribute \"timestop\" from the [TIME] section (which looks like\r\n\"wDay:wMonth:wYear:wHour:wMinute\"), the thread will execute the code only after this specific datetime.\r\nThe attributes \"lastsend\" and \"logperiod\" from the [LOG] section are used to specify a delay time when to backup\r\nand send the log to the C\u0026C server. (by default: every two hours).\r\nA temporary file with a random name prefixed by \"~D\" is created in the folder \"208\" (for Carbon v3.7x) or \"1033\"\r\n(for Carbon v3.8x). The logfile content is copied into this new file. It is then compressed with Bzip2 and\r\nencrypted (CAST-128).\r\nA new line is added at the end of the file \"C_56743.NLS\" (for Carbon v3.7x) or \"dsntype.gif\" (for Carbon v3.8x):\r\n\"10|1|%s|%s\"\r\n1st field: an ID to identify the file as a logfile\r\n2nd field: 1 (file to be sent to the C\u0026C server)\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 2 of 8\n\n3rd field: the temp file path\r\n4rd field: the victim uuid\r\nLast but not least, the attribute \"lastsend\" is updated with the current time and the original logfile is deleted.\r\nCommunication with the C\u0026C server\r\nThe code of this thread is used to retrieve new tasks from the C\u0026C server, to send new files to the server (the files\r\nlisted in the file \"C_56743.NLS\" / \"dsntype.gif\") and to send the new tasks to the orchestrator.\r\nFirst request\r\nA random C\u0026C server address is chosen from the ones in the section \"CW_INET\". If the port and HTTP resource\r\npath are not specified, the default is to use port 80 and \"/javascript/view.php\".\r\nA user agent is set up in the following way:\r\nthe version of Internet Explorer is retrieved through the registry key: \"HKLM\\Software\\Microsoft\\Internet\r\nExplorer\\Version\" and is concatenated to the string \"Mozilla/4.0 (compatible; MSIE %d.0; \"\r\nexample: \"Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0;\"\r\nconcatenate the previous string with the OS major/minor version values (through GetVersionExA())\r\n\"Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0\"\r\nenumerate the values key in \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\5.0\\User Agent\\Post Platform\" and concatenate each value to the previous string and then append\r\na closing paren.\r\nexample: \"Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0; .NET\r\nCLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; Media Center\r\nPC 6.0; SLCC2)\r\nThe field \"trans_timemax\" from the section [TIME] is retrieved. It is used to set the timeout for internet requests\r\n(through InternetSetOption()). It has a value of 10 minutes by default.\r\nA first GET request is performed on the root page of the C\u0026C web server to check that the host is alive. If no\r\npacket capture is running on the system, a new request is done on the C\u0026C server to check if new tasks are\r\navailable. A \"PHPSESSID\" cookie is added to the request with the victim uuid as its value. A header \"Referer\" is\r\nadded as well and set to the C\u0026C server URL.\r\nThe malware is expecting to get an answer to the GET request similar to:\r\n\u003cinput name=\"%name%\" value=\"%data_in_b64%\"\u003e\r\nIf the field \"value\" contains something, a new task is available.\r\nSend data to the server\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 3 of 8\n\nIf the file \"C_56743.NLS\" / \"dsntype.gif\" is not empty, it means there are data to be sent the C\u0026C server. The file\r\nis parsed and the last line is retrieved. It contains details about the data to be sent. A data blob is built and each of\r\nthe following fields is encrypted with CAST-128:\r\nid | val | tmp_filesize | tmp_content | [OPTIONAL (if val == 2) tmp2_filesize | tmp2_content] |\r\nlen_object_id | object_id\r\nid = the type of data to send to the C\u0026C server, it can be:\r\n10: log backup\r\n11: configuration file\r\n20: a cryptographic key\r\notherwise: an id associated to a task, it can be the result of a task or an error log in the case of\r\ntask execution failure\r\nval = 1 if there is only one file to send, 2 if there are two files\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 4 of 8\n\nobject_id = the victim uuid\r\nIf the field \"dtc\" from the section [CRYPTO] of the configuration file is set to 0, this whole blob is base64\r\nencoded and sent to the C\u0026C server through a POST request.\r\nOtherwise, another layer of encryption is used. In this case, the data blob is signed and a random 3DES key is\r\nused to encrypt it. Because the 3DES key is randomly generated and the server needs it to decrypt the data, the\r\nkey is encrypted with the server public key. The server key is retrieved from the field \"publicc\" of the section\r\n[CRYPTO] from the configuration file.\r\nThis new blob (encrypted_key | signature_data | encrypted data) is encoded in base64 and sent to the C\u0026C server\r\nthrough a POST request.\r\nIn order to avoid detection based on the data size sent in a request, the blob can be fragmented into several\r\npackets. An option in the configuration file (\"post_frag\" in the section [TRANSPORT]) defines whether the blob\r\nwill be fragmented or sent in only one POST request.\r\nIf this option is set to \"yes\", the blob is divided into several fragments of a specific size. This size comes from\r\nanother field in the configuration file: \"post_frag_size\".\r\nAn additional header will be added to the request:\r\n\"Content-Range: bytes %u-%u/%u; id=%u\\r\\n\", i, i+(fragment_size-1), data_size, task_id\"\r\nIf the option http11 is set, a specific header is added as well:\r\n\"Expect: 100-continue\\r\\n\"\r\nFor each fragments sent, the fields \"post_frag_size\" and \"pfslastset\" from the config file (section\r\n[CW_INET_RESULTS]) are updated with the fragment size and the timestamp.\r\nGet new tasks\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 5 of 8\n\nNew tasks are retrieved from the C\u0026C server by parsing the html page. The malware expects to find the html tag\r\n\u003cinput\u003e in the page with a base64 encoded blob in its \"value\" attribute. Once decoded, this blob contains:\r\nan encrypted block of 128 bytes that contains a structure \"PUBLICKEYSTRUC\" followed by a\r\ncryptographic key (probably a 3DES key)\r\nsignature data (128 bytes) to verify the integrity of the next block\r\na block of encrypted data that contains the task\r\nThe malware uses an RSA private key (retrieved from the field \"keypair\" from the section [CRYPTO] of the\r\nconfiguration file) to decrypt the first block and then uses the freshly decrypted key to decrypt the third block.\r\nThis block of data can be either:\r\na task to be executed [6]\r\nthe data are decrypted and stored in few temporary files, the task (a command or a PE file) and its\r\nconfiguration file in the \"Nls\" folder and the output files (file that will contains the task results and\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 6 of 8\n\nthe logfile) are stored in the folder \"0208\" (or respectively \"0409\" and \"1033\" for Carbon v3.8x)\r\ntask_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath\r\nthis line is appended to beginning of the file \"b9s3coff.ax\" (cifrado.xml on v3.8x)\r\na task to be executed by the orchestrator [7]\r\nthe data are decrypted and stored in few temporary files (the task, its configuration etc) in the \"Nls\"\r\nand \"0208\" folder (or \"0409\" and \"1033\" for Carbon v3.8x)\r\ndepending of the content of the data, one of these lines will be added to the beginning of the file\r\n\"a67ncode.ax\" (encodebase.info on v3.8x)\r\ntask_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath\r\ntask_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath |\r\nexecution_mode | username | password\r\ntask_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath |\r\nexecution_mode\r\na new RSA server public key\r\nin this case, the configuration file is updated with the new key encoded in base64 (field publicc)\r\ndata to be sent to an instance of Carbon running in another computer in the same network\r\nthe data can contains a specific IP address and port, a named pipe or a named pipe with a username\r\nand password.\r\nCheck Internet availability\r\nEach hour, the internet connection is checked. A first check is done by calling the function\r\nInternetAttemptConnect(). If it works, another test is done by sending HTTP GET requests to the following\r\nwebsites:\r\nwww.google.com\r\nwww.yahoo.com\r\nwww.bing.com\r\nupdate.microsoft.com\r\nwindowsupdate.microsoft.com\r\nmicrosoft.com\r\nAn event is used to notify the other threads in case of the loss of Internet access.\r\nConfiguration file backup\r\nSimilar to the logfile, the configuration file is also periodically backed up and sent to the C\u0026C server. The thread\r\nexecutes the code in a specific range of time (between 8h and 20h by default) [8].\r\nThe value \"configlastsend\" is retrieved from the section [TIME] of the configuration file. If the config file has\r\nbeen sent over a month ago, the config file is copied into a temporary file with a random name prefixed by \"~D\"\r\nin the folder \"208\" (for Carbon v3.7x) or \"1033\" (for Carbon v3.8x). This file is then encrypted with CAST-128\r\nalgorithm.\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 7 of 8\n\nTo notify the thread that communicates with the C\u0026C server that a new file is ready to be sent to the server, the\r\nfollowing line is appending to the file \"C_56743.NLS\" (for Carbon v3.7x) or \"dsntype.gif\" (for Carbon v3.8x):\r\n\"11|1|%s|%s\"\r\n1st field: an ID to identify the file as a config file\r\n2nd field: 1 (file to be sent to the C\u0026C server)\r\n3rd field: the temp filepath\r\n4rd field: the victim uuid\r\nLast but not least, the attribute \"configlastsend\" is updated with the current time.\r\nSource: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "report_names": [ "carbon-paper-peering-turlas-second-stage-backdoor" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434363, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2138ae6cbbedd971467d19c6ab004226ca3723d.pdf", "text": "https://archive.orkl.eu/e2138ae6cbbedd971467d19c6ab004226ca3723d.txt", "img": "https://archive.orkl.eu/e2138ae6cbbedd971467d19c6ab004226ca3723d.jpg" } }