Kazuar

Malware updated 4 months ago (2024-05-04T20:24:42.895Z)
Download STIX
Preview STIX
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an array of malware types in their operations, including Kazuar, Capibar, Snake, QUIETCANARY, Kopiluwak, Crutch, ComRAT, Carbon, HyperStack, and TinyTurla. Recent research from Lab52 has revealed that Turla uses a novel method for distributing the Kazuar malware, employing a unique Pelmeni wrapper DLL. Furthermore, the study highlighted subtle yet significant changes in Kazuar's deployment, including a new data exfiltration protocol and variations in the logging directory. The Kazuar malware is typically used as a second-stage payload and is characterized by robust code and string obfuscation and protection. It has been a critical tool in Turla's arsenal since its discovery in 2017 and has been involved in various high-profile breaches, including the notorious SolarWinds attack. The malware targets specific artifacts such as Git SCM, a popular source control system among developers, and Signal, a private instant messaging service. Researchers have recently observed an upgraded variant of Kazuar, demonstrating the evolving tactics of the threat group. Cortex XDR, a cybersecurity platform, has provided alerts about the execution of Kazuar, specifically noting instances where Kazuar was injected into explorer.exe. These attempts were successfully thwarted by Cortex XDR, underlining the importance of advanced threat detection and response tools in combating such sophisticated threats. The MITRE ATT&CK techniques used in the Kazuar campaigns further highlight the complexity and advanced nature of these attacks. As Turla continues to evolve its tactics and tools, ongoing vigilance and advanced cybersecurity measures are essential to prevent and mitigate these threats.
Description last updated: 2024-03-15T13:15:36.385Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Turla
8
Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT
Uroburos
5
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
Capibar
5
Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
Snake
3
Snake, also known as EKANS, is a threat actor first identified by Dragos on January 6, 2020. This malicious entity is notorious for its deployment of ransomware and keyloggers, primarily targeting business networks. The Snake ransomware variant has been linked to Iran and exhibits an industrial focu
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Payload
Espionage
Trojan
Implant
Encryption
Windows
Proxy
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
SUNBURSTis related to
6
Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
HyperStackUnspecified
2
HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since
TomirisUnspecified
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
GazerUnspecified
2
Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong simila
UrsaUnspecified
2
Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Pensive UrsaUnspecified
4
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
Turla GroupUnspecified
3
The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissa
Secret BlizzardUnspecified
2
Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities we
Venomous BearUnspecified
2
Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private
KryptonUnspecified
2
Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as priva
PensiveUnspecified
2
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen
Source Document References
Information about the Kazuar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
6 months ago
Windows tool helps RedCurl obscure cyberespionage attacks
CERT-EU
6 months ago
Turla Leverages 'Pelmeni Wrapper' for Stealthy Kazuar Backdoor Delivery
DARKReading
7 months ago
Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs
Checkpoint
10 months ago
6th November – Threat Intelligence Report - Check Point Research
CERT-EU
10 months ago
Cyber Security Week In Review: November 3, 2023
DARKReading
10 months ago
Upgraded Kazuar Backdoor Offers Stealthy Power
CERT-EU
10 months ago
Over the Kazuar’s nest: Cracking down on a freshly hatched backdoor used by Pensive Ursa - Cyber Security Review
CERT-EU
10 months ago
Palo Alto Reveals New Features in Russian APT Turla’s Kazuar Backdoor
InfoSecurity-magazine
10 months ago
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor
Unit42
10 months ago
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
Trend Micro
a year ago
Examining the Activities of the Turla APT Group
Unit42
a year ago
Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Cyber Attacks by Non-State Actors Continue Astride in Europe
CERT-EU
a year ago
Cyber Security Week In Review: July 21, 2023
CERT-EU
a year ago
Hackers Turn Exchange Servers into Malware Command & Control Centers
CERT-EU
a year ago
Turla hackers target defense sector in Ukraine and Eastern Europe
BankInfoSecurity
a year ago
Russian Hackers Probe Ukrainian Defense Sector With Backdoor
BankInfoSecurity
a year ago
GoldenJackal APT Targeting South Asian Government Agencies