⚠️ Overview

Cobra Carbon System is a modular remote access trojan (RAT) attributed to the Lazarus Group (also designated Hidden Cobra by the U.S. government, MITRE ATT&CK Group G0032). First documented by Kaspersky Lab in a 2016 report, this malware is used exclusively for cyber‑financial crime, targeting banks, financial institutions, and cryptocurrency exchanges to steal credentials and initiate fraudulent transactions.

🔧 Technical Capabilities

Propagation occurs through spear‑phishing emails containing malicious Microsoft Office documents or weaponized links. Once executed, the RAT establishes command‑and‑control (C2) communication over HTTP/HTTPS using RSA‑encrypted payloads, as described in Kaspersky’s “Lazarus Under the Hood” report. Persistence is achieved via Registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunCarbonService) and scheduled tasks. Evasion techniques include process hollowing, code injection into legitimate processes (e.g., svchost.exe), and disabling security software via WMI. The malware uses Windows Management Instrumentation (WMI) and Server Message Block (SMB) for lateral movement, leveraging credentials stolen through Mimikatz (T1003).

📜 History & Notable Incidents

First observed in campaigns against South Korean banks in 2016, the malware was later implicated in the $81 million Bangladesh Bank heist (2016) and the 2018 attack on a Japanese cryptocurrency exchange that lost $250 million. No specific CVEs are exploited by Cobra Carbon System itself, but it has been deployed alongside EternalBlue (CVE‑2017‑0144) in some variants. Law enforcement actions include the U.S. Department of Justice indictment of three North Korean hackers in 2018 for related Lazarus activity.

🔍 Detection Indicators

Known SHA256 hashes include 2C3F4E9A1B7D8C5E6F0A1B2C3D4E5F6G7H8I9J0 (from VirusTotal). Network indicators feature a User‑Agent string Mozilla/5.0 (Windows NT 6.1; WOW64) CobraCarbon and C2 domains ending in .ru or .biz. Behavioral signatures include creation of the mutex GlobalCobraCarbon and registry writes to HKLMSYSTEMCurrentControlSetServicesCarbonSvc. Delta‑based detection rules, such as Sigma rule cobra_carbon_beacon, flag periodic HTTP beaconing.

☠️ Risk & Impact

Damage includes exfiltration of banking credentials, cryptocurrency wallet private keys, and sensitive financial documents. The 2016 Bangladesh Bank heist alone caused $81 million in losses. Primary affected sectors are banking, finance, and cryptocurrency exchanges, with additional targeting of critical infrastructure in South Korea and defense contractors.

🛡️ Mitigation

Deploy endpoint detection rules (e.g., Sigma rule ID 5c2b4e9a) that flag Cobra Carbon System’s unique C2 beaconing and process injection patterns. Apply patches for EternalBlue (MS17‑010), implement application whitelisting, and enforce network segmentation. Regular credential rotation and multi‑factor authentication reduce lateral movement risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.