Cyber espionage group Turla and its latest malware under the microscope

Next story

Over the past decade, the cyberattackers behind Turla - an espionage group that has been targeting various institutions for many years - has shown quite a broad arsenal of tools focused on acquiring data from selected high profile institutions in Europe and the United States.

Today, ESET researchers released their discoveries in an in-depth analysis of the innovations found in the latest versions of Turla’s second stage backdoor, dubbed “Carbon.”

Known to change their tools once exposed, the Turla group keeps its malware in constant development, changing mutexes and file names between each version; this is valid for Carbon as well.  In the three years since its development, ESET researchers have been able to confirm eight active versions thus far. Notorious for its painstaking efforts and its work in stages, the Turla group first performs reconnaissance on their victim’s systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spear phishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack. After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the victim’s machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

The architecture of Carbon consists of a dropper that installs the Carbon components and its configuration file
— a component that communicates with Command and Control (C&C) servers —and an orchestrator that handles tasks dispatches them to other computers on the network and injects them into a legitimate process that communicates with the C&C and a loader that executes the orchestrator.

“Carbon shares some similarities with other Turla’s tool – rootkit Uroburos. The most relevant resemblance being the communication framework. The communication objects are implemented in the same way, the structures and virtual tables look identical except that there are fewer communication channels in Carbon,” explains the paper. “Carbon might be the ‘lite’ version of Uroburos without kernel components and exploits.”

To read the technical analysis of Carbon, please visit ESET’s news site

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on LinkedInFacebook and Twitter.


Anna Keeve

ESET North America

619.405.5175, Anna.Keeve(at)