An enhanced iteration of Kazuar, a comparatively obscure however “extremely purposeful” backdoor Trojan, has boosted its capabilities to be more difficult to detect, and may now function covertly whereas thwarting evaluation and malware safety instruments. Kazuar, based mostly on Microsoft’s .NET framework, has been related to superior persistent risk (APT) espionage campaigns in recent times.

That is based on Palo Alto Networks’ Unit 42 risk intelligence researchers this week, who warned that the Russian-backed APT that it calls Pensive Ursa has already used the brand new model of Kazuar to focus on Ukraine’s protection sector. Pensive Ursa (aka Turla Group, Snake, Uroburos, and Venomous Bear), has been linked with the Russian Federal Safety Service (FSB) and has a path relationship again to 2004.

In the newest Ukrainian assaults, confirmed by an advisory issued by the Ukrainian CERT in July, the attackers reportedly have been in search of delicate property, together with messages, supply management, and cloud platform information, based on the Unit 42 evaluation.

“The latest marketing campaign that the Ukrainian CERT reported unveiled the multi-staged supply mechanism of Kazuar, along with different instruments reminiscent of the brand new Capibar first-stage backdoor,” risk researchers Daniel Frank and Tom Fakternan defined within the report from Unit 42, which was among the many earliest to find Kazuar, in 2017. “Our technical evaluation of this latest variant — seen within the wild after years of hiatus — confirmed important enhancements to its code construction and performance.”

Kazuar’s Expanded Capabilities

Since discovering Kazuar’s use by Turla in 2017 and once more in 2020, risk researchers have solely recognized it in a handful of situations throughout the previous six years, primarily in opposition to the army and European authorities entities. As famous in its Could 2017 advisory, Unit 42 researchers described Kazuar as a multiplatform espionage backdoor Trojan with API entry to an embedded Net server.

The .NET-based Kazuar has a classy set of instructions that enables attackers to remotely load plugins that give the Trojan expanded capabilities. Unit 42 researchers have additionally found proof of a Mac or Unix variant of the software.

Kazuar makes use of a command-and-control channel (C2) that provides attackers entry to programs and lets them exfiltrate information, based on the researchers. It will possibly use a number of protocols, together with HTTP, HTTPS, FTP, or FTPS.

Some Overlap With Sunburst

In January 2021, Kaspersky reported that it discovered some options in Kazuar that overlap with Sunburst, the backdoor found a month earlier by FireEye (now Google’s Mandiant) used within the broad SolarWinds provide chain assault. Equally, Sunburst is a backdoor Trojan that may talk with different Net servers utilizing commonplace HTTP hyperlinks by working as a digitally signed element of SolarWinds’ extensively used Orion IT administration providing.

“Quite a lot of uncommon, shared options between Sunburst and Kazuar embody the sufferer UID era algorithm, the sleeping algorithm, and the in depth utilization of the FNV-1a hash,” Kaspersky researchers defined. “Each Kazuar and Sunburst have carried out a delay between connections to a C2 server, possible designed to make the community exercise much less apparent.”

Matthieu Faou, a senior malware researcher at ESET, agrees with Unit 42’s findings. ESET noticed an analogous Kazuar malware pattern deployed at a Ministry of Overseas Affairs of a South American nation in December 2021.

“Kazuar may be very typical of complicated implants that Turla used quite a bit prior to now (reminiscent of Carbon, ComRAT and Gazer),” Faou says. “It makes use of compromised WordPress web sites as C2 servers, which can be very typical for the group.”