SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobra (Back to overview)

Cobra Carbon System

aka: Carbon

Actor(s): Turla Group

URLhaus    

There is no description at this point.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-04-19Github (hfiref0x)hfiref0x
@online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } TDL (Turla Driver Loader) Repository
Cobra Carbon System
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla Group
2016-05-23MELANI GovCERTGovCERT.ch
@techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } APT Case RUAG - Technical Report
Cobra Carbon System
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf}, language = {English}, urldate = {2020-04-21} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot Turla Group
2015-01-20G DataG Data
@online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } Analysis of Project Cobra
Cobra Carbon System
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2019-12-20} } The Epic Turla Operation
Cobra Carbon System Turla Group
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla Group
Yara Rules
[TLP:WHITE] win_cobra_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_cobra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? }
            // n = 5, score = 2900
            //   7511                 | jne                 0x13
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   ff15????????         |                     

        $sequence_1 = { 33d2 b9e8030000 f7f1 83f805 }
            // n = 4, score = 2300
            //   33d2                 | xor                 edx, edx
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   f7f1                 | div                 ecx
            //   83f805               | cmp                 eax, 5

        $sequence_2 = { e8???????? 85c0 750e 33ff }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   33ff                 | xor                 edi, edi

        $sequence_3 = { ff25???????? 8b442408 85c0 750e 3905???????? 7e2c }
            // n = 6, score = 2100
            //   ff25????????         |                     
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   3905????????         |                     
            //   7e2c                 | jle                 0x2e

        $sequence_4 = { 5e 5b c3 85db 7405 83fb03 753b }
            // n = 7, score = 2100
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85db                 | test                ebx, ebx
            //   7405                 | je                  7
            //   83fb03               | cmp                 ebx, 3
            //   753b                 | jne                 0x3d

        $sequence_5 = { 757f 8b05???????? 85c0 0f8e8c000000 }
            // n = 4, score = 2100
            //   757f                 | jne                 0x81
            //   8b05????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8e8c000000         | jle                 0x92

        $sequence_6 = { 5f 5e 5b c3 85ff 7418 }
            // n = 6, score = 2100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a

        $sequence_7 = { e8???????? 8bf8 83fb01 751d 85ff 755d }
            // n = 6, score = 2100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83fb01               | cmp                 ebx, 1
            //   751d                 | jne                 0x1f
            //   85ff                 | test                edi, edi
            //   755d                 | jne                 0x5f

        $sequence_8 = { 753c b980000000 e8???????? 85c0 a3???????? 7504 33c0 }
            // n = 7, score = 2100
            //   753c                 | jne                 0x3e
            //   b980000000           | mov                 ecx, 0x80
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 751c 8bcf ff15???????? 8d8fe8030000 }
            // n = 4, score = 2100
            //   751c                 | jne                 0x1e
            //   8bcf                 | mov                 ecx, edi
            //   ff15????????         |                     
            //   8d8fe8030000         | lea                 ecx, [edi + 0x3e8]

        $sequence_10 = { 5e 5b c3 83fb01 7405 83fb02 }
            // n = 6, score = 2100
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   83fb01               | cmp                 ebx, 1
            //   7405                 | je                  7
            //   83fb02               | cmp                 ebx, 2

        $sequence_11 = { ff25???????? 53 56 57 8bd9 33f6 }
            // n = 6, score = 2100
            //   ff25????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bd9                 | mov                 ebx, ecx
            //   33f6                 | xor                 esi, esi

        $sequence_12 = { 85c0 0f8e8c000000 83e801 8905???????? }
            // n = 4, score = 2100
            //   85c0                 | test                eax, eax
            //   0f8e8c000000         | jle                 0x92
            //   83e801               | sub                 eax, 1
            //   8905????????         |                     

        $sequence_13 = { 740c 80fb64 7507 33c0 e9???????? }
            // n = 5, score = 1900
            //   740c                 | je                  0xe
            //   80fb64               | cmp                 bl, 0x64
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_14 = { 3c22 7404 3c27 7505 }
            // n = 4, score = 1700
            //   3c22                 | cmp                 al, 0x22
            //   7404                 | je                  6
            //   3c27                 | cmp                 al, 0x27
            //   7505                 | jne                 7

        $sequence_15 = { ff15???????? 83f87a 7407 3d230000c0 }
            // n = 4, score = 1600
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   7407                 | je                  9
            //   3d230000c0           | cmp                 eax, 0xc0000023

        $sequence_16 = { 53 ff15???????? ff756c 8b35???????? }
            // n = 4, score = 1500
            //   53                   | test                eax, eax
            //   ff15????????         |                     
            //   ff756c               | mov                 ecx, dword ptr [ecx]
            //   8b35????????         |                     

        $sequence_17 = { 68???????? 51 ffd6 83c40c 6a28 }
            // n = 5, score = 800
            //   68????????           |                     
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   83c40c               | add                 esp, 0xc
            //   6a28                 | push                0x28

        $sequence_18 = { ff15???????? 83f87a 740b 3d230000c0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   740b                 | je                  0xd
            //   3d230000c0           | cmp                 eax, 0xc0000023

        $sequence_19 = { 68000000c0 50 ff15???????? 8bf0 83feff 7505 33c0 }
            // n = 7, score = 800
            //   68000000c0           | push                0xc0000000
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7505                 | jne                 7
            //   33c0                 | xor                 eax, eax

        $sequence_20 = { 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? 895004 }
            // n = 7, score = 800
            //   663bcb               | cmp                 cx, bx
            //   75f4                 | jne                 0xfffffff6
            //   8b0d????????         |                     
            //   8b15????????         |                     
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b0d????????         |                     
            //   895004               | mov                 dword ptr [eax + 4], edx

        $sequence_21 = { ff15???????? eb03 8b7d0c 3bfb }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   eb03                 | jmp                 5
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   3bfb                 | cmp                 edi, ebx

        $sequence_22 = { 83c0fe 668b4802 83c002 663bcb 75f4 8b15???????? }
            // n = 6, score = 800
            //   83c0fe               | add                 eax, -2
            //   668b4802             | mov                 cx, word ptr [eax + 2]
            //   83c002               | add                 eax, 2
            //   663bcb               | cmp                 cx, bx
            //   75f4                 | jne                 0xfffffff6
            //   8b15????????         |                     

        $sequence_23 = { c3 8b4d08 57 51 6a00 6a00 56 }
            // n = 7, score = 800
            //   c3                   | ret                 
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_24 = { 6689440ffc 6685c0 75ee f685c003000010 }
            // n = 4, score = 800
            //   6689440ffc           | mov                 word ptr [edi + ecx - 4], ax
            //   6685c0               | test                ax, ax
            //   75ee                 | jne                 0xfffffff0
            //   f685c003000010       | test                byte ptr [ebp + 0x3c0], 0x10

        $sequence_25 = { 75f4 8b15???????? 8b0d???????? 8910 8b15???????? 894804 }
            // n = 6, score = 800
            //   75f4                 | jne                 0xfffffff6
            //   8b15????????         |                     
            //   8b0d????????         |                     
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b15????????         |                     
            //   894804               | mov                 dword ptr [eax + 4], ecx

        $sequence_26 = { c3 4585e4 75e8 85f6 74e4 418936 b801000000 }
            // n = 7, score = 700
            //   c3                   | dec                 ecx
            //   4585e4               | mov                 ecx, esp
            //   75e8                 | dec                 eax
            //   85f6                 | mov                 dword ptr [edi - 2], eax
            //   74e4                 | jne                 0xffffffec
            //   418936               | xor                 eax, eax
            //   b801000000           | dec                 eax

        $sequence_27 = { 418bf4 4532ff e8???????? 33d2 488d8d300a0000 }
            // n = 5, score = 700
            //   418bf4               | inc                 ecx
            //   4532ff               | mov                 esi, esp
            //   e8????????           |                     
            //   33d2                 | inc                 ebp
            //   488d8d300a0000       | xor                 bh, bh

        $sequence_28 = { 488b05???????? 498bcc 488947fe 8b05???????? }
            // n = 4, score = 700
            //   488b05????????       |                     
            //   498bcc               | xor                 edx, edx
            //   488947fe             | dec                 eax
            //   8b05????????         |                     

        $sequence_29 = { 75ea 33c0 4883c9ff 488d7da0 66f2af }
            // n = 5, score = 700
            //   75ea                 | mov                 ecx, eax
            //   33c0                 | dec                 eax
            //   4883c9ff             | mov                 ecx, edi
            //   488d7da0             | inc                 ecx
            //   66f2af               | mov                 bh, 1

        $sequence_30 = { 66f2af 48f7d1 66837c4bfc5c 7413 }
            // n = 4, score = 700
            //   66f2af               | xor                 edx, edx
            //   48f7d1               | dec                 eax
            //   66837c4bfc5c         | lea                 ecx, [ebp + 0xa30]
            //   7413                 | repne scasd         eax, dword ptr es:[edi]

        $sequence_31 = { 33d2 488bc8 ff15???????? 488bcf ff15???????? 41b701 e9???????? }
            // n = 7, score = 700
            //   33d2                 | dec                 eax
            //   488bc8               | not                 ecx
            //   ff15????????         |                     
            //   488bcf               | cmp                 word ptr [ebx + ecx*2 - 4], 0x5c
            //   ff15????????         |                     
            //   41b701               | je                  0x1e
            //   e9????????           |                     

    condition:
        7 of them and filesize < 1368064
}
[TLP:WHITE] win_cobra_w0   (20170512 | No description)
rule win_cobra_w0 {
    meta:
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = "ModStart"
        $s2 = "ModuleStart"
        $t1 = "STOP|OK"
        $t2 = "STOP|KILL"

    condition:
        (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
[TLP:WHITE] win_cobra_w1   (20170512 | No description)
import "pe"

rule win_cobra_w1 {
    meta:
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    condition:
        (pe.version_info["InternalName"] contains "SERVICE.EXE" or
        pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
        pe.version_info["InternalName"] contains "MSXIML.DLL")
        and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
Download all Yara Rules