ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool CarbonSteal

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: CarbonSteal

NamesCarbonSteal
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Lookout) CarbonSteal is Android surveillanceware that has been tracked by Lookout since 2017, and more than 500 samples have been seen to date. While not as sophisticated as HenBox, certain samples of CarbonSteal do make use of a combination of native libraries and DEX classes, while others do not and are much simpler.

Hallmarks of CarbonSteal include extensive audio recording functionality in a variety of codecs and audio formats, as well as the capability in later samples to control an infected device through specially crafted SMS messages. Attackers can also perform audio surveillance through the malware’s ability to silently answer a call from a specific phone number and allow the attacker to listen in to sounds around an infected device. Based on this functionality, we suspect that CarbonSteal might be deployed in areas with insufficient or no mobile data coverage.

Samples of CarbonSteal and HenBox also use the same non-compromised signing certificates in many cases, suggesting the actor behind their deployment is the same. Furthermore, overlapping validity dates of these certificates may indicate that the samples were produced around the same time frame. This evidence led Lookout researchers to the theory that these tools were primarily used in an ongoing malware campaign (at the time) and against similar targets, with titles and languages once again suggesting a Uyghur focused interest.
Information<https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:CarbonSteal>

Last change to this tool card: 02 July 2020

Download this tool card in JSON format

Previous: Carbanak
Next: Cardinal RAT

All groups using tool CarbonSteal

ChangedNameCountryObserved

APT groups

XKe3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key