Kivars

Kivars, a type of malware, was identified as being used in conjunction with other malicious software, PLEAD and Waterbear, to target systems. The first incidents were detected on February 23rd and March 8th, 2017, where PLEAD and Kivars were seen attacking the same target. On March 16th, 2017, another incident was observed where PLEAD, KIVARS, and Waterbear were all used against the same target. These three types of malware share the use of Right-to-Left Override (RTLO) techniques to disguise their installers as documents, making them hard to detect. The operational structure of these attacks typically involves using PLEAD and KIVARS for initial phase attacks, with Waterbear serving as a secondary backdoor installed after attackers have gained a certain level of privilege. Kivars is part of the Shrouded Crossbow suite, which employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. While KIVARS has less functionality than BIFROSE, its modular structure makes it easier to maintain. XBOW’s capabilities are derived from both BIFROSE and KIVARS. KIVARS' functionality allows attackers to download and execute files, list drives, uninstall malware service, take screenshots, activate/deactivate keyloggers, show/hide active windows, and trigger mouse clicks and keyboard inputs. The IP address 211[.]72 [.]242[.]120 has been linked to KIVARS, hosting the domain microsoftmse[.]com, which several KIVARS variants have utilized. This highlights the sophisticated nature of these attacks and the need for robust cybersecurity measures to counter such threats.