Kazuar

Malware updated a month ago (2024-10-15T10:02:04.475Z)

Download STIX

Preview STIX

Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and employs a variety of malware types in its operations, including Capibar, Kazuar, Snake, QUIETCANARY/Tunnus, Kopiluwak, Crutch, ComRAT, Carbon, HyperStack, and TinyTurla. The utilization of Kazuar, first discovered in 2017, is a consistent element of Turla's operations, and it has even been linked to the infamous SolarWinds breach. Recent research from Lab52 has revealed new tactics and a customized variant of the Kazuar trojan in Turla's recent campaigns. These include the use of a novel Pelmeni wrapper DLL for Kazuar malware distribution, process injection into explorer.exe, and the execution of native code by Kazuar for process injection and Windows Management Instrumentation (WMI) execution. These activities triggered several alerts, including an execution prevention alert by Cortex XDR. In addition, Lab52’s analysis noted subtle yet significant evolutions in Kazuar’s deployment, such as a new protocol for data exfiltration and variations in the logging directory. The MITRE ATT&CK techniques used in these Kazuar campaigns involve the theft of Git SCM credentials and the injection of the malware into explorer.exe, both prevented by Cortex XDR. The term "zombify" refers to Kazuar’s general process injection technique. Furthermore, the extracted .NET assembly was identified as a modified Kazuar trojan, marking this sample as unique from its predecessors. This evolving strategy demonstrates Turla's ongoing adaptation and sophistication in cyber warfare.

Description last updated: 2024-10-15T09:18:12.985Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Turla is a possible alias for Kazuar. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	8
Capibar is a possible alias for Kazuar. Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib	5
Uroburos is a possible alias for Kazuar. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen	5

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Payload

Trojan

Implant

Espionage

Windows

Encryption

Source

Proxy

Credentials

Tool

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The SUNBURST Malware is associated with Kazuar. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user	is related to	6
The Gazer Malware is associated with Kazuar. Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong simila	Unspecified	2
The HyperStack Malware is associated with Kazuar. HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since	Unspecified	2
The Ursa Malware is associated with Kazuar. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar	Unspecified	2
The Tomiris Malware is associated with Kazuar. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Pensive Ursa Threat Actor is associated with Kazuar. Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti	Unspecified	4
The Turla Group Threat Actor is associated with Kazuar. The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissa	Unspecified	3
The Venomous Bear Threat Actor is associated with Kazuar. Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private	Unspecified	2
The Pensive Threat Actor is associated with Kazuar. Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen	Unspecified	2
The Secret Blizzard Threat Actor is associated with Kazuar. Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities we	Unspecified	2
The Krypton Threat Actor is associated with Kazuar. Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as priva	Unspecified	2

Source Document References

Information about the Kazuar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Windows tool helps RedCurl obscure cyberespionage attacks
CERT-EU	9 months ago	Turla Leverages 'Pelmeni Wrapper' for Stealthy Kazuar Backdoor Delivery
DARKReading	9 months ago	Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs
Checkpoint	a year ago	6th November – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Cyber Security Week In Review: November 3, 2023
DARKReading	a year ago	Upgraded Kazuar Backdoor Offers Stealthy Power
CERT-EU	a year ago	Over the Kazuar’s nest: Cracking down on a freshly hatched backdoor used by Pensive Ursa - Cyber Security Review
CERT-EU	a year ago	Palo Alto Reveals New Features in Russian APT Turla’s Kazuar Backdoor
InfoSecurity-magazine	a year ago	Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor
Unit42	a year ago	Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
Trend Micro	a year ago	Examining the Activities of the Turla APT Group
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Cyber Attacks by Non-State Actors Continue Astride in Europe
CERT-EU	a year ago	Cyber Security Week In Review: July 21, 2023
CERT-EU	a year ago	Hackers Turn Exchange Servers into Malware Command & Control Centers
CERT-EU	a year ago	Turla hackers target defense sector in Ukraine and Eastern Europe
BankInfoSecurity	a year ago	Russian Hackers Probe Ukrainian Defense Sector With Backdoor
BankInfoSecurity	a year ago	GoldenJackal APT Targeting South Asian Government Agencies