Turla Enhances Kazuar Backdoor with Sophisticated Anti-Analysis Measures for Stealthy Operations

    The hacking group Turla, with ties to Russia, now uses an updated version of the Kazuar backdoor. First found in 2017, this .NET-based implant stands out for its stealthy data theft from compromised hosts. Security researchers at Palo Alto Networks Unit 42 have tracked this group as Pensive Ursa. They discovered that the latest Kazuar version prioritises stealth operation, detection evasion, and resistance to analysis. This version also boasts advanced anti-analysis techniques, encryption, and obfuscation to safeguard its code.

    Pensive Ursa’s Background

    Operating since 2004, many believe that the Russian Federal Security Service (FSB) is associated with Pensive Ursa. This group has previously targeted the defence sectors in Ukraine and Eastern Europe. They have used backdoors like DeliveryCheck and Kazuar for these attacks. The latest Kazuar enhancements show that the group’s attack strategies are evolving. They’re becoming more sophisticated and are strengthening their grip on victims’ systems. They achieve this by using strong obfuscation and custom string encryption methods.

    In June 2023, a new campaign by Turla, also known as Secret Blizzard, was detected by Microsoft and CERT-Ukraine, targeting defence sector organisations in Ukraine and Eastern Europe through malicious phishing attachments​1​.

    Kazuar’s Enhanced Capabilities

    Kazuar uses a multithreading model. Each primary function runs as its own thread, allowing for a modular and asynchronous flow control. The malware’s features are extensive. The recent variant supports 45 commands that range from system profiling and data collection to credential theft and file manipulation. It can also set automatic tasks at certain times, like collecting system data or taking screenshots. It communicates with command-and-control (C2) servers over HTTP. Moreover, Kazuar can work as a proxy. It can even communicate with other infected systems via named pipes, setting up peer-to-peer communication.

    The Ukrainian CERT reported in July 2023 that this updated version of Kazuar specifically targeted the Ukrainian defence sector, focusing on sensitive assets like Signal messages, source control, and cloud platforms data​2​.

    Anti-Analysis Features of Kazuar

    Kazuar has a range of anti-analysis features. These features help it stay concealed. If it detects attempts at debugging or analysis, it halts all C2 communication. This tactic ensures that security researchers or malware analysts don’t detect or analyse the malware. The updated Kazuar backdoor is noted for its revised anti-analysis techniques, and C2 communication disruption features​3​.

    Other Threats to Note

    In a related development, Kaspersky has recently reported a spear-phishing campaign targeting state and industrial entities in Russia. The attackers used a custom Go-based backdoor. Currently, we don’t know the identity of the threat actor behind this campaign.

    Latest articles

    Related articles