Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor

Written by

The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks.

The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the Ukrainian Computer Emergency and Response Team (CERT-UA) reported.

Researchers from Unit 42, Palo Alto’s threat intelligence team, found previously undocumented features to Kazuar’s latest variant, a .NET backdoor that Turla uses as a second-stage payload, delivered together with other tools.

Notable features, which are analyzed in detail in a report published on October 31, 2023, include the following:

  • Anti-detection features, including robust code and string obfuscation techniques, a multithreaded model for enhanced performance and a range of encryption schemes implemented to safeguard Kazuar’s code from analysis and to conceal its data, whether in memory, during transmission, or on disk
  • Anti-analysis functionalities
  • Extensive system profiling capabilities
  • The specific targeting of cloud applications

This version of Kazuar also supports over 40 distinct commands, half of which were previously undocumented.

These new features show significant improvements to Kazuar’s code structure and functionality.

“As the code of the upgraded revision of Kazuar reveals, the [Unit 42] authors put special emphasis on Kazuar’s ability to operate in stealth, evade detection and thwart analysis efforts,” reads the report.

What is the Kazuar Backdoor?

Kazuar is a .NET backdoor developed and maintained by the Russian hacking group Turla. It was first discovered in 2017 by Unit 42.

The Sunburst backdoor, used during what is commonly called the SolarWinds hack, in 2019 and 2020, has been tied to Kazuar by code resemblance, which demonstrates its complexity level.

Since its discovery, Kazuar has been observed in the wild only a handful of times, mainly targeting organizations in the European government and military sectors.

Before the outbreak of the war in Ukraine, Kazuar was last observed by Unit 42 researchers in late 2020. However, reports suggested the backdoor was under constant development.

In July 2023, CERT-UA reported that a brand-new version of Kazuar was used as part of a multi-staged campaign targeting the Ukrainian defense sector. Kazuar was being used with other tools, such as the new Capibar first-stage backdoor.

The threat group behind this variant was going after sensitive assets such as those found in Signal messages, source control and cloud platforms data.

Who are Turla?

Turla, also known as Pensive Ursa, Uroboros, Venomous Bear, Waterbug or UNC4210, is a Russian-based, highly sophisticated advanced persistent threat (APT) group operating since at least 2004 with espionage and intelligence-gathering motivations.

The group is linked to the Russian Federal Security Service (FSB).

Turla has a long history of conducting cyber-espionage campaigns against various victims, spanning multiple sectors such as high-tech, pharmaceuticals, government, and retail.

The group is known for using sophisticated malware and techniques, including custom backdoors, rootkits, and keyloggers. Turla is also known for its ability to maintain long-term access to victim networks, often for years.

In recent years, Turla has been involved in several high-profile cyberattacks, including targeting the US Department of State, the US Department of Energy, and the French Ministry of Foreign Affairs. The group has also been linked to the hacking of the Democratic National Committee in 2016.

Read more: Tomiris and Turla APT Groups Collaborate to Target Government Entities

What’s hot on Infosecurity Magazine?