Kazuar

Malware updated a month ago (2024-11-29T14:40:23.137Z)
Download STIX
Preview STIX
Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and employs a variety of malware types in its operations, including Capibar, Kazuar, Snake, QUIETCANARY/Tunnus, Kopiluwak, Crutch, ComRAT, Carbon, HyperStack, and TinyTurla. The utilization of Kazuar, first discovered in 2017, is a consistent element of Turla's operations, and it has even been linked to the infamous SolarWinds breach. Recent research from Lab52 has revealed new tactics and a customized variant of the Kazuar trojan in Turla's recent campaigns. These include the use of a novel Pelmeni wrapper DLL for Kazuar malware distribution, process injection into explorer.exe, and the execution of native code by Kazuar for process injection and Windows Management Instrumentation (WMI) execution. These activities triggered several alerts, including an execution prevention alert by Cortex XDR. In addition, Lab52’s analysis noted subtle yet significant evolutions in Kazuar’s deployment, such as a new protocol for data exfiltration and variations in the logging directory. The MITRE ATT&CK techniques used in these Kazuar campaigns involve the theft of Git SCM credentials and the injection of the malware into explorer.exe, both prevented by Cortex XDR. The term "zombify" refers to Kazuar’s general process injection technique. Furthermore, the extracted .NET assembly was identified as a modified Kazuar trojan, marking this sample as unique from its predecessors. This evolving strategy demonstrates Turla's ongoing adaptation and sophistication in cyber warfare.
Description last updated: 2024-10-15T09:18:12.985Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Turla is a possible alias for Kazuar. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (
8
Capibar is a possible alias for Kazuar. Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
5
Uroburos is a possible alias for Kazuar. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Payload
Trojan
Implant
Espionage
Windows
Encryption
Source
Proxy
Credentials
Tool
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The SUNBURST Malware is associated with Kazuar. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the useris related to
6
The Gazer Malware is associated with Kazuar. Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong similaUnspecified
2
The HyperStack Malware is associated with Kazuar. HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since Unspecified
2
The Ursa Malware is associated with Kazuar. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwarUnspecified
2
The Tomiris Malware is associated with Kazuar. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a TunnuUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Pensive Ursa Threat Actor is associated with Kazuar. Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activitiUnspecified
4
The Turla Group Threat Actor is associated with Kazuar. The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissaUnspecified
3
The Venomous Bear Threat Actor is associated with Kazuar. Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as privateUnspecified
2
The Pensive Threat Actor is associated with Kazuar. Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, PenUnspecified
2
The Secret Blizzard Threat Actor is associated with Kazuar. Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities weUnspecified
2
The Krypton Threat Actor is associated with Kazuar. Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as privaUnspecified
2
Source Document References
Information about the Kazuar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
CERT-EU
10 months ago
DARKReading
10 months ago
Checkpoint
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
Unit42
a year ago
Trend Micro
a year ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
BankInfoSecurity
2 years ago