The Russia-connected hacking crew recognized as Turla has been observed employing an updated variation of a acknowledged 2nd-phase backdoor referred to as Kazuar.
The new results arrive from Palo Alto Networks Unit 42, which is monitoring the adversary underneath its constellation-themed moniker Pensive Ursa.
“As the code of the upgraded revision of Kazuar reveals, the authors put exclusive emphasis on Kazuar’s skill to work in stealth, evade detection and thwart analysis efforts,” security researchers Daniel Frank and Tom Fakterman claimed in a technical report.
“They do so using a selection of highly developed anti-assessment approaches and by preserving the malware code with productive encryption and obfuscation methods.”
Pensive Ursa, energetic considering that at the very least 2004, is attributed to the Russian Federal Security Assistance (FSB). Earlier this July, the Laptop Unexpected emergency Response Crew of Ukraine (CERT-UA) implicated the threat team to attacks concentrating on the defense sector in Ukraine and Jap Europe with backdoors this kind of as DeliveryCheck and Kazuar.
Kazuar is a .NET-primarily based implant that to start with came to light-weight in 2017 for its qualities to stealthily interact with compromised hosts and exfiltrate knowledge. In January 2021, Kaspersky highlighted source code overlaps amongst the malware strain and Sunburst, a different backdoor applied in conjunction with the SolarWinds hack of 2020.
The improvements to Kazuar suggest that the menace actor guiding the procedure proceeds to evolve its attack procedures and increase in sophistication, although growing its means to command victims’ techniques. This features the use of robust obfuscation and personalized string encryption techniques to evade detection.
“Kazuar operates in a multithreading product, although every single of Kazuar’s most important functionalities operates as its possess thread,” the researchers defined.
“In other words and phrases, one thread handles receiving commands or tasks from its [command-and-control], though a solver thread handles execution of these instructions. This multithreading model permits Kazuar’s authors to create an asynchronous and modular movement management.”
The malware supports a broad selection of features โ leaping from 26 instructions in 2017 to 45 in the most current variant โ that facilitates complete process profiling, information collection, credential theft, file manipulation, and arbitrary command execution.
It also incorporates capabilities to established up automated jobs that will operate at specified intervals to acquire system details, get screenshots, and get documents from certain folders. Interaction with C2 servers can take spot more than HTTP.
“In addition to direct HTTP conversation with the C2, Kazuar has the potential to function as a proxy, to acquire and send commands to other Kazuar agents in the infected network,” the researchers stated.
“It is carrying out this proxy interaction through named pipes, generating their names centered on the machine’s GUID. Kazuar employs these pipes to set up peer-to-peer conversation amongst distinctive Kazuar cases, configuring every single as a server or a client.”
What is actually far more, the extensive anti-assessment functionalities lends Kazuar a substantial degree of stealth, ensuring it continues to be idle and ceases all C2 interaction if it is getting debugged or analyzed.
The development will come as Kaspersky disclosed that a number of state and industrial companies in Russia had been qualified with a customized Go-centered backdoor that performs info theft as section of a spear-phishing campaign that commenced in June 2023. The risk actor powering the procedure is at the moment unknown.
Found this write-up interesting? Comply with us on Twitter ๏ and LinkedIn to read extra special content we publish.
Some parts of this article are sourced from:
thehackernews.com