Upgraded Kazuar Backdoor Offers Stealthy Power

  /     /     /  
Publicated : 23/11/2024   Category : security


Upgraded Kazuar Backdoor Offers Stealthy Power


The obscure Kazuar backdoor used by Russian attack group Turla has resurfaced, and its more dangerous than ever.



An enhanced iteration of Kazuar, a relatively obscure but highly functional backdoor Trojan, has boosted its capabilities to be more challenging to detect, and can now operate covertly while thwarting analysis and malware protection tools. Kazuar, based on Microsofts .NET framework, has been associated with advanced persistent threat (APT) espionage campaigns in recent years.
Thats according to Palo Alto Networks Unit 42 threat intelligence researchers this week, who 
warned
 that the Russian-backed APT that it calls Pensive Ursa has already used the new version of Kazuar to target Ukraines defense sector. Pensive Ursa (aka
Turla Group,
Snake, Uroburos, and Venomous Bear), has been linked with the 
Russian Federal Security Service (FSB)
and has a trail dating back to 2004.
In the most recent Ukrainian attacks, confirmed by an advisory issued by the 
Ukrainian CERT
 in July, the attackers reportedly were seeking sensitive assets, including messages, source control, and cloud platform data, according to the Unit 42 analysis.
The recent campaign that the Ukrainian CERT reported unveiled the multi-staged delivery mechanism of Kazuar, together with other tools such as the new Capibar first-stage backdoor, threat researchers Daniel Frank and Tom Fakternan explained in the report from Unit 42, which was among the earliest 
to discover Kazuar,
 in 2017. Our technical analysis of this recent variant — seen in the wild after years of hiatus — showed significant improvements to its code structure and functionality.
Since discovering Kazuars use by Turla in 2017 and again in 2020, threat researchers have only identified it in a handful of scenarios during the past six years, primarily against the military and European government entities. As noted in its May 2017 advisory, Unit 42 researchers described Kazuar as a multiplatform espionage backdoor Trojan with API access to an embedded Web server.
The .NET-based Kazuar has a sophisticated set of commands that allows attackers to remotely load plugins that give the Trojan expanded capabilities. Unit 42 researchers have also discovered evidence of a Mac or Unix variant of the tool.
Kazuar utilizes a command-and-control channel (C2) that gives attackers access to systems and lets them exfiltrate data, according to the researchers. It can use multiple protocols, including HTTP, HTTPS, FTP, or FTPS.
In January 2021, Kaspersky reported that it found some 
features in Kazuar that overlap with Sunburst
, the backdoor 
discovered a month earlier
 by FireEye (now Googles Mandiant) used in the broad SolarWinds supply chain attack. Similarly, Sunburst is a backdoor Trojan that can communicate with other Web servers using standard HTTP links by operating as a digitally signed component of SolarWinds widely used Orion IT management offering.
A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm, and the extensive usage of the FNV-1a hash, 
Kaspersky researchers
explained. Both Kazuar and Sunburst have implemented a delay between connections to a C2 server, likely designed to make the network activity less obvious.
Matthieu Faou, a senior malware researcher at ESET, agrees with Unit 42s findings. ESET observed a similar Kazuar malware sample deployed at a Ministry of Foreign Affairs of a South American country in December 2021.
Kazuar is very typical of complex implants that Turla used a lot in the past (such as Carbon, ComRAT and Gazer), Faou says. It uses compromised WordPress websites as C2 servers, which is also very typical for the group.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Upgraded Kazuar Backdoor Offers Stealthy Power