SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobra (Back to overview)

Cobra Carbon System

aka: Carbon

Actor(s): Turla Group

URLhaus    

There is no description at this point.

References
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-25Github (sisoma2)Marc
@online{marc:20200925:turla:06db824, author = {Marc}, title = {{Turla Carbon System}}, date = {2020-09-25}, organization = {Github (sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon}, language = {English}, urldate = {2020-10-02} } Turla Carbon System
Cobra Carbon System
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-04-19Github (hfiref0x)hfiref0x
@online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } TDL (Turla Driver Loader) Repository
Cobra Carbon System
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2023-01-10} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Agent.BTZ Cobra Carbon System Gazer Meterpreter Mosquito Skipper
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla
2016-05-23MELANI GovCERTGovCERT.ch
@techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2022-08-05} } APT Case RUAG - Technical Report
Cobra Carbon System
2016-01-14SymantecSecurity Response
@online{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/waterbug-attack-group}, language = {English}, urldate = {2022-04-25} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot
2015-01-20G DataG Data
@online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } Analysis of Project Cobra
Cobra Carbon System
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } The Epic Turla Operation
Cobra Carbon System Uroburos Wipbot Turla
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla
Yara Rules
[TLP:WHITE] win_cobra_auto (20230125 | Detects win.cobra.)
rule win_cobra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.cobra."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? }
            // n = 5, score = 3100
            //   7511                 | jmp                 0x6e
            //   e8????????           |                     
            //   85c0                 | and                 dword ptr [eax], 0
            //   7508                 | test                eax, eax
            //   ff15????????         |                     

        $sequence_1 = { 7514 391d???????? 754d 33c0 }
            // n = 4, score = 2800
            //   7514                 | cmp                 ebx, 1
            //   391d????????         |                     
            //   754d                 | je                  0xb
            //   33c0                 | pop                 ebx

        $sequence_2 = { 83f801 75f1 b900010000 e8???????? }
            // n = 4, score = 2800
            //   83f801               | ret                 
            //   75f1                 | test                edi, edi
            //   b900010000           | je                  0x1d
            //   e8????????           |                     

        $sequence_3 = { 5e 5b c3 85ff 7418 }
            // n = 5, score = 2800
            //   5e                   | lea                 eax, [esp + 0x2b0]
            //   5b                   | mov                 dword ptr [esp + 0x9c], eax
            //   c3                   | mov                 dword ptr [esp + 0xa0], eax
            //   85ff                 | push                0x208
            //   7418                 | lea                 eax, [esp + 0x2b0]

        $sequence_4 = { 83fb01 7405 83fb02 7537 }
            // n = 4, score = 2800
            //   83fb01               | push                0x208
            //   7405                 | mov                 dword ptr [esp + 0x9c], eax
            //   83fb02               | mov                 dword ptr [esp + 0xa0], eax
            //   7537                 | push                0x208

        $sequence_5 = { 757f 8b05???????? 85c0 0f8e8c000000 }
            // n = 4, score = 2800
            //   757f                 | push                ebx
            //   8b05????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x9c], eax
            //   0f8e8c000000         | mov                 dword ptr [esp + 0xa0], eax

        $sequence_6 = { 5b c3 85db 7405 83fb03 753b }
            // n = 6, score = 2800
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85db                 | test                ebx, ebx
            //   7405                 | je                  0xb
            //   83fb03               | cmp                 ebx, 3
            //   753b                 | jne                 0x81

        $sequence_7 = { 85c0 750e 33ff 8bc7 }
            // n = 4, score = 2800
            //   85c0                 | cmp                 ebx, 1
            //   750e                 | je                  0xa
            //   33ff                 | cmp                 ebx, 2
            //   8bc7                 | jne                 0x41

        $sequence_8 = { 751c 8bcf ff15???????? 8d8fe8030000 }
            // n = 4, score = 2800
            //   751c                 | push                ebx
            //   8bcf                 | push                eax
            //   ff15????????         |                     
            //   8d8fe8030000         | mov                 dword ptr [esp + 0xa0], eax

        $sequence_9 = { e8???????? 85c0 a3???????? 7504 33c0 }
            // n = 5, score = 2700
            //   e8????????           |                     
            //   85c0                 | push                ebp
            //   a3????????           |                     
            //   7504                 | mov                 ecx, dword ptr [ebp + 8]
            //   33c0                 | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_10 = { 85c0 750e 3905???????? 7e2c ff0d???????? 83f801 8b0d???????? }
            // n = 7, score = 2700
            //   85c0                 | mov                 dword ptr [ecx], edx
            //   750e                 | xor                 eax, eax
            //   3905????????         |                     
            //   7e2c                 | mov                 ecx, dword ptr [ebp + 8]
            //   ff0d????????         |                     
            //   83f801               | mov                 dword ptr [ecx], edx
            //   8b0d????????         |                     

        $sequence_11 = { ff25???????? 53 56 57 8bd9 33f6 }
            // n = 6, score = 2700
            //   ff25????????         |                     
            //   53                   | mov                 ecx, dword ptr [ebp + 8]
            //   56                   | mov                 ecx, dword ptr [ecx + 0x20]
            //   57                   | mov                 edx, dword ptr [ebp + 8]
            //   8bd9                 | jne                 0x3e
            //   33f6                 | mov                 ecx, 0x80

        $sequence_12 = { 753c b980000000 e8???????? 85c0 }
            // n = 4, score = 2700
            //   753c                 | ret                 
            //   b980000000           | mov                 ax, cs
            //   e8????????           |                     
            //   85c0                 | ret                 

        $sequence_13 = { 33d2 b9e8030000 f7f1 83f805 }
            // n = 4, score = 2500
            //   33d2                 | mov                 ecx, 0x80
            //   b9e8030000           | test                eax, eax
            //   f7f1                 | jne                 8
            //   83f805               | test                eax, eax

        $sequence_14 = { 7407 33c0 e9???????? ff15???????? e9???????? }
            // n = 5, score = 2100
            //   7407                 | and                 dword ptr [eax], 0
            //   33c0                 | mov                 ecx, dword ptr [ecx]
            //   e9????????           |                     
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_15 = { 8bc3 2b44242c 33ff 3bc7 }
            // n = 4, score = 2100
            //   8bc3                 | push                esi
            //   2b44242c             | push                edi
            //   33ff                 | mov                 ebx, ecx
            //   3bc7                 | xor                 esi, esi

        $sequence_16 = { e8???????? 99 b901040000 f7f9 8b7f0c }
            // n = 5, score = 2100
            //   e8????????           |                     
            //   99                   | jle                 0x32
            //   b901040000           | test                eax, eax
            //   f7f9                 | jne                 6
            //   8b7f0c               | xor                 eax, eax

        $sequence_17 = { 85c0 7f07 e8???????? eb26 83c0ff }
            // n = 5, score = 1400
            //   85c0                 | test                eax, eax
            //   7f07                 | jg                  9
            //   e8????????           |                     
            //   eb26                 | jmp                 0x28
            //   83c0ff               | add                 eax, -1

        $sequence_18 = { eb6d e8???????? 85c0 7564 }
            // n = 4, score = 1400
            //   eb6d                 | jmp                 0x6f
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7564                 | jne                 0x66

        $sequence_19 = { e8???????? 33db 3bc3 741a }
            // n = 4, score = 1400
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   741a                 | je                  0x1c

        $sequence_20 = { 83385c 7e4b 4c8b505c 4d85d2 7442 448b6c2470 4c8bce }
            // n = 7, score = 1100
            //   83385c               | dec                 eax
            //   7e4b                 | mov                 ecx, edi
            //   4c8b505c             | xor                 ebx, ebx
            //   4d85d2               | cmp                 eax, ebx
            //   7442                 | je                  0x23
            //   448b6c2470           | cmp                 dword ptr [eax], 0x5c
            //   4c8bce               | jle                 0x50

        $sequence_21 = { eb0e 4883c108 e8???????? b801005921 488b5c2430 488b6c2438 488b742440 }
            // n = 7, score = 1100
            //   eb0e                 | dec                 esp
            //   4883c108             | mov                 edx, dword ptr [eax + 0x5c]
            //   e8????????           |                     
            //   b801005921           | dec                 ebp
            //   488b5c2430           | test                edx, edx
            //   488b6c2438           | je                  0x4b
            //   488b742440           | inc                 esp

        $sequence_22 = { e8???????? 48832700 ba02000000 488bce e8???????? 498bce }
            // n = 6, score = 1100
            //   e8????????           |                     
            //   48832700             | dec                 eax
            //   ba02000000           | add                 ecx, 8
            //   488bce               | mov                 eax, 0x21590001
            //   e8????????           |                     
            //   498bce               | dec                 eax

        $sequence_23 = { b801005921 488b5c2430 488b742438 4883c420 }
            // n = 4, score = 1100
            //   b801005921           | mov                 ebx, dword ptr [esp + 0x30]
            //   488b5c2430           | dec                 eax
            //   488b742438           | mov                 ebp, dword ptr [esp + 0x38]
            //   4883c420             | dec                 eax

        $sequence_24 = { 750b 4883c108 e8???????? eb0c bb06005921 eb05 }
            // n = 6, score = 1100
            //   750b                 | dec                 eax
            //   4883c108             | mov                 ecx, dword ptr [edi]
            //   e8????????           |                     
            //   eb0c                 | jne                 0xd
            //   bb06005921           | dec                 eax
            //   eb05                 | add                 ecx, 8

        $sequence_25 = { 50 6a00 6aff e8???????? 85c0 7405 }
            // n = 6, score = 1000
            //   50                   | mov                 ebx, dword ptr [esp + 0x30]
            //   6a00                 | dec                 eax
            //   6aff                 | mov                 ebp, dword ptr [esp + 0x38]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7405                 | mov                 esi, dword ptr [esp + 0x40]

        $sequence_26 = { 898424a0000000 e8???????? 6808020000 8d8424b0020000 53 50 }
            // n = 6, score = 900
            //   898424a0000000       | mov                 dword ptr [esp + 0x98], eax
            //   e8????????           |                     
            //   6808020000           | mov                 dword ptr [esp + 0x9c], eax
            //   8d8424b0020000       | mov                 dword ptr [esp + 0xa0], eax
            //   53                   | push                0x208
            //   50                   | mov                 dword ptr [esp + 0x98], eax

        $sequence_27 = { 83781400 750a b865005921 e9???????? }
            // n = 4, score = 900
            //   83781400             | cmp                 eax, 1
            //   750a                 | jne                 0xfffffff3
            //   b865005921           | mov                 ecx, 0x100
            //   e9????????           |                     

        $sequence_28 = { 89842490000000 89842494000000 89842498000000 8984249c000000 898424a0000000 e8???????? 6808020000 }
            // n = 7, score = 900
            //   89842490000000       | mov                 byte ptr [esp + 0x1f], bl
            //   89842494000000       | xor                 eax, eax
            //   89842498000000       | push                0x208
            //   8984249c000000       | mov                 dword ptr [esp + 0x34], ebx
            //   898424a0000000       | mov                 dword ptr [esp + 0x30], ebx
            //   e8????????           |                     
            //   6808020000           | mov                 dword ptr [esp + 0x24], ebx

        $sequence_29 = { 8975fc e8???????? 681c010000 8d8de0feffff }
            // n = 4, score = 900
            //   8975fc               | mov                 byte ptr [esp + 0x1f], bl
            //   e8????????           |                     
            //   681c010000           | mov                 dword ptr [esp + 0x30], ebx
            //   8d8de0feffff         | mov                 dword ptr [esp + 0x24], ebx

        $sequence_30 = { 895c2428 895c2434 895c2430 895c2424 895c2420 885c241f e8???????? }
            // n = 7, score = 900
            //   895c2428             | test                eax, eax
            //   895c2434             | jne                 0xd
            //   895c2430             | jne                 0x3e
            //   895c2424             | mov                 ecx, 0x80
            //   895c2420             | test                eax, eax
            //   885c241f             | jne                 0xd
            //   e8????????           |                     

        $sequence_31 = { 7507 32c0 e9???????? c745b818000000 }
            // n = 4, score = 800
            //   7507                 | push                0
            //   32c0                 | push                -1
            //   e9????????           |                     
            //   c745b818000000       | test                eax, eax

        $sequence_32 = { 85c0 740a b8050000c0 e9???????? }
            // n = 4, score = 200
            //   85c0                 | push                -1
            //   740a                 | test                eax, eax
            //   b8050000c0           | push                -1
            //   e9????????           |                     

        $sequence_33 = { 668cc8 c3 53 50 }
            // n = 4, score = 200
            //   668cc8               | push                0x18
            //   c3                   | lea                 eax, [ebp - 0x18]
            //   53                   | push                eax
            //   50                   | push                0

        $sequence_34 = { 8b4d08 8b4120 8b5124 5d c20400 }
            // n = 5, score = 100
            //   8b4d08               | add                 eax, edx
            //   8b4120               | adc                 ecx, esi
            //   8b5124               | push                ecx
            //   5d                   | xor                 esi, esi
            //   c20400               | add                 eax, edx

        $sequence_35 = { 8b4d08 8b15???????? 8911 33c0 e9???????? }
            // n = 5, score = 100
            //   8b4d08               | jmp                 9
            //   8b15????????         |                     
            //   8911                 | mov                 eax, 0x21590065
            //   33c0                 | cmp                 dword ptr [eax + 0x14], 0
            //   e9????????           |                     

    condition:
        7 of them and filesize < 1368064
}
[TLP:WHITE] win_cobra_w0   (20170512 | No description)
rule win_cobra_w0 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $s1 = "ModStart"
        $s2 = "ModuleStart"
        $t1 = "STOP|OK"
        $t2 = "STOP|KILL"

    condition:
        (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
[TLP:WHITE] win_cobra_w1   (20170512 | No description)
import "pe"

rule win_cobra_w1 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    condition:
        (pe.version_info["InternalName"] contains "SERVICE.EXE" or
        pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
        pe.version_info["InternalName"] contains "MSXIML.DLL")
        and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
Download all Yara Rules