November 1, 2023 at 03:49AM
Turla, a Russia-linked hacking group, is using an updated version of a backdoor called Kazuar that emphasizes stealth and evasion techniques, according to Palo Alto Networks Unit 42. Kazuar, a .NET-based implant first discovered in 2017, has been improved by the threat actor behind the operation to enhance their attack methods and control over victims’ systems. The backdoor supports a wide range of features, including data collection, credential theft, and arbitrary command execution. It can also communicate with other instances of Kazuar in an infected network and evade analysis attempts.
After reviewing the meeting notes, here are the key takeaways:
1. The Russia-linked hacking group known as Turla has updated their second-stage backdoor, Kazuar, to operate in stealth, evade detection, and thwart analysis efforts.
2. Palo Alto Networks Unit 42, tracking the adversary under the name Pensive Ursa, has discovered these updated findings.
3. Pensive Ursa, believed to be the Russian Federal Security Service (FSB), has been active since at least 2004 and has targeted the defense sector in Ukraine and Eastern Europe.
4. Kazuar is a .NET-based implant that first emerged in 2017 and has the ability to interact stealthily with compromised hosts and extract data.
5. The latest version of Kazuar shows improvements indicating that the threat actor behind the operation is evolving and growing in sophistication.
6. Kazuar uses advanced obfuscation and encryption techniques to evade detection and protect the malware code.
7. The malware operates on a multithreading model, allowing for asynchronous and modular flow control.
8. Kazuar supports a wide range of features, including system profiling, data collection, credential theft, file manipulation, and arbitrary command execution.
9. It can also set up automated tasks to gather system data, take screenshots, and grab files from specific folders.
10. Kazuar communicates with C2 servers over HTTP and can function as a proxy, enabling communication between different instances in an infected network.
11. The malware has extensive anti-analysis functionalities to stay hidden and cease communication if being debugged or analyzed.
12. In addition to the Kazuar update, a separate spear-phishing campaign targeting state and industrial organizations in Russia was recently discovered. The threat actor behind this operation is currently unknown.
These takeaways highlight the ongoing developments and sophistication of the Turla/Pensive Ursa threat actor, as well as the evolving tactics and capabilities of their backdoor, Kazuar.