Kivars

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Kivars, a type of malware, was identified as being used in conjunction with other malicious software, PLEAD and Waterbear, to target systems. The first incidents were detected on February 23rd and March 8th, 2017, where PLEAD and Kivars were seen attacking the same target. On March 16th, 2017, another incident was observed where PLEAD, KIVARS, and Waterbear were all used against the same target. These three types of malware share the use of Right-to-Left Override (RTLO) techniques to disguise their installers as documents, making them hard to detect. The operational structure of these attacks typically involves using PLEAD and KIVARS for initial phase attacks, with Waterbear serving as a secondary backdoor installed after attackers have gained a certain level of privilege. Kivars is part of the Shrouded Crossbow suite, which employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. While KIVARS has less functionality than BIFROSE, its modular structure makes it easier to maintain. XBOW’s capabilities are derived from both BIFROSE and KIVARS. KIVARS' functionality allows attackers to download and execute files, list drives, uninstall malware service, take screenshots, activate/deactivate keyloggers, show/hide active windows, and trigger mouse clicks and keyboard inputs. The IP address 211[.]72 [.]242[.]120 has been linked to KIVARS, hosting the domain microsoftmse[.]com, which several KIVARS variants have utilized. This highlights the sophisticated nature of these attacks and the need for robust cybersecurity measures to counter such threats.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kivars Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
The Trail of BlackTech’s Cyber Espionage Campaigns