Posted on January 12, 2021 at 1:53 PM
Researchers Connect Kazuar Backdoor To Sunburst Malware
Last month, SolarWinds, Microsoft, and FireEye made a joint announcement, stating the discovery of a new strain of malware known as Sunburst against SolarWinds’ Orion IT customers.
However, Kaspersky security researchers have made progress to find out connections with the malware. The research team discovered various specific code similarities between the Kazuar backdoors and the Sunburst malware.
The discovery could provide more information to security researchers and security agencies for further investigation.
The Kazuar backdoor was previously linked to Russian hackers after an investigation by the U.S. law enforcement agencies was revealed.
Reports about the SolarWinds’ Orion breach revealed that the incident affected over 18,000 organizations before follow-on attacks on government agencies.
Major news outlets like the Washington Post reported that the perpetrators of the hacking incident are probably from the Russian APT group known as Cozy Bear or APT29. However, the Russian government has denied having anything to do with the attack.
Overlapping features between Kazuar and Sunburst
The Kaspersky security researchers said they have found several overlapping features between the Kazuar malware and the Sunburst backdoor. Kazuar is a .NET-based malware first discovered in 2017 by Palo Alto.
The Sunburst malware was notorious for its efficacy and hacking level, as the threat actors leveraged the trust linked with SolarWinds Orion software to compromise government institutions and other organizations.
Previously, researchers and other security agencies have found it difficult to attribute the SolarWinds supply-chain breach to any previous attack module.
The researchers couldn’t find any clue that can connect the infrastructure used with past malware campaigns.
But the latest discovery showed that the malware has some shared features with Kazuar. The researchers discovered that one threat group developed both Kazuar and Sunburst.
Furthermore, the group behind Sunburst (Dark Halo) and Kazuar (Turla) got the malware from a single source. The Sunburst creators also used several false links to divert attention to other threat groups.
Both malware families utilized a sleeping algorithm to stay undetected when connecting to a C2 server
But while Sunburst randomly chooses a sleeping period of up to two weeks before reaching out to the server for initial exploration, the Kuzuar malware takes up to four weeks between C2 connections.
However, researchers revealed that both malware versions used the same formula when calculating the sleeping time.
Kazuar connections with Turla
Kazuar is a completely featured backdoor written with the .NET framework. It utilizes the command-and-control (C2) system to enable threat actors to connect with the compromised system.
Like other malware functions, its features allow for the capture of screenshots, support for running malicious commands, and the release of more functionalities through a plugin command.
The Palo Alto unit team that linked the malware tool to the Turla Russian group based their findings on the “code lineage” dating back to 2005.
Additionally, the developers of the Kuzuar malware redesigned it with updates on its password and keylogger-stealing functions. This is in addition to the backdoor that is executed in the form of C2 server command.
Although it’s not uncommon for threat actors to update or redesign their malware to evade detection, the Kaspesky researchers said the recent redesign of Kuzuar may be related to the SolarWinds compromise.
The developers of the Kazua code may have suspected that the SolarWinds attack may be traced and decided to tweak its algorithms to stay under the radar.
The new discovery will help further investigations
Last week, U.S. security agencies, including the National Security Agency (NSA) and Federal Bureau of Investigations (FBI) issued a joint statement, informing the public that the Russian state-sponsored hackers are likely responsible for SolarWinds hack.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an update concerning the malware attack on SolarWinds. The agency said the investigation showed that initial access was obtained by password spraying or password guessing.
Kaspersky added that the new discovery about the overlapping nature of both malware codes is the first potential link to the malware family. With the discovery, it will be a lot easier to find more information about the malware and how best to protect systems against its exploitation, the researchers reiterated.