The Russia-linked hacking crew often known as Turla has been noticed utilizing an up to date model of a recognized second-stage backdoor known as Kazuar.
The brand new findings come from Palo Alto Networks Unit 42, which is monitoring the adversary beneath its constellation-themed moniker Pensive Ursa.
“Because the code of the upgraded revision of Kazuar reveals, the authors put particular emphasis on Kazuar’s means to function in stealth, evade detection and thwart evaluation efforts,” safety researchers Daniel Frank and Tom Fakterman mentioned in a technical report.
“They achieve this utilizing a wide range of superior anti-analysis strategies and by defending the malware code with efficient encryption and obfuscation practices.”
Pensive Ursa, lively since at the least 2004, is attributed to the Russian Federal Safety Service (FSB). Earlier this July, the Laptop Emergency Response Staff of Ukraine (CERT-UA) implicated the risk group to assaults focusing on the protection sector in Ukraine and Japanese Europe with backdoors equivalent to DeliveryCheck and Kazuar.
Kazuar is a .NET-based implant that first got here to mild in 2017 for its talents to stealthily work together with compromised hosts and exfiltrate information. In January 2021, Kaspersky highlighted supply code overlaps between the malware pressure and Sunburst, one other backdoor used at the side of the SolarWinds hack of 2020.
The enhancements to Kazuar point out that the risk actor behind the operation continues to evolve its assault strategies and develop in sophistication, whereas increasing its means to manage victims’ techniques. This consists of using strong obfuscation and customized string encryption strategies to evade detection.
“Kazuar operates in a multithreading mannequin, whereas every of Kazuar’s major functionalities operates as its personal thread,” the researchers defined.
“In different phrases, one thread handles receiving instructions or duties from its [command-and-control], whereas a solver thread handles execution of those instructions. This multithreading mannequin permits Kazuar’s authors to determine an asynchronous and modular movement management.”
The malware helps a variety of options – leaping from 26 instructions in 2017 to 45 within the newest variant – that facilitates complete system profiling, information assortment, credential theft, file manipulation, and arbitrary command execution.
It additionally incorporates capabilities to arrange automated duties that can run at specified intervals to collect system information, take screenshots, and seize information from specific folders. Communication with C2 servers takes place over HTTP.
“Along with direct HTTP communication with the C2, Kazuar has the power to operate as a proxy, to obtain and ship instructions to different Kazuar brokers within the contaminated community,” the researchers mentioned.
“It’s doing this proxy communication by way of named pipes, producing their names primarily based on the machine’s GUID. Kazuar makes use of these pipes to determine peer-to-peer communication between completely different Kazuar cases, configuring every as a server or a shopper.”
What’s extra, the in depth anti-analysis functionalities lends Kazuar a excessive diploma of stealth, guaranteeing it stays idle and ceases all C2 communication whether it is being debugged or analyzed.
The event comes as Kaspersky revealed that numerous state and industrial organizations in Russia have been focused with a customized Go-based backdoor that performs information theft as a part of a spear-phishing marketing campaign that commenced in June 2023. The risk actor behind the operation is at present unknown.
