The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the Ukrainian Computer Emergency and Response Team reported. Researchers from Unit 42, Palo Alto's threat intelligence team, found previously undocumented features to Kazuar's latest variant, a.NET backdoor that Turla uses as a second-stage payload, delivered together with other tools. Anti-detection features, including robust code and string obfuscation techniques, a multithreaded model for enhanced performance and a range of encryption schemes implemented to safeguard Kazuar's code from analysis and to conceal its data, whether in memory, during transmission, or on disk. This version of Kazuar also supports over 40 distinct commands, half of which were previously undocumented. These new features show significant improvements to Kazuar's code structure and functionality. "As the code of the upgraded revision of Kazuar reveals, the [Unit 42] authors put special emphasis on Kazuar's ability to operate in stealth, evade detection and thwart analysis efforts," reads the report. Kazuar is a.NET backdoor developed and maintained by the Russian hacking group Turla. The Sunburst backdoor, used during what is commonly called the SolarWinds hack, in 2019 and 2020, has been tied to Kazuar by code resemblance, which demonstrates its complexity level. Since its discovery, Kazuar has been observed in the wild only a handful of times, mainly targeting organizations in the European government and military sectors. Before the outbreak of the war in Ukraine, Kazuar was last observed by Unit 42 researchers in late 2020. Reports suggested the backdoor was under constant development. In July 2023, CERT-UA reported that a brand-new version of Kazuar was used as part of a multi-staged campaign targeting the Ukrainian defense sector. Kazuar was being used with other tools, such as the new Capibar first-stage backdoor. The group is linked to the Russian Federal Security Service. Turla has a long history of conducting cyber-espionage campaigns against various victims, spanning multiple sectors such as high-tech, pharmaceuticals, government, and retail. The group is known for using sophisticated malware and techniques, including custom backdoors, rootkits, and keyloggers. Turla is also known for its ability to maintain long-term access to victim networks, often for years. In recent years, Turla has been involved in several high-profile cyberattacks, including targeting the US Department of State, the US Department of Energy, and the French Ministry of Foreign Affairs. The group has also been linked to the hacking of the Democratic National Committee in 2016.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000