Links Found By Researchers Between Sunburst And Russian Malware Kazuar

It’s the first time when cybersecurity researchers have discovered a likely association between the backdoor that was utilized in the SolarWinds Supply Chain Attack and a formerly known malware strain. In a new examination that was published by Kaspersky scientists, the online protection firm said it found a few highlights that are quite similar with a different backdoor known as Kazuar, it is a .NET-based (dot net based) malware first reported in 2017 by Palo Alto Networks. Revealed early in the previous month, the undercover work crusade was remarkable for its scale and covertness, with the assailants utilizing the trust-related with SolarWinds Orion programming to penetrate government offices and different organizations in order to send a custom malware codenamed as “Sunburst”.

Attribution for the SolarWinds compromise has been troublesome to a limited extent because of almost no signs connecting the assault foundation to past missions or other notable dangerous threat groups. Yet, Kaspersky’s most recent examination of the Sunburst hidden backdoor has uncovered various shared highlights among this malware and Kazuar, driving the specialists to speculate that both the Sunburst and Kazuar are created by a similar group of threat actors, the enemy responsible for Sunburst could have utilized Kazuar as a motivation, the group related Kazuar (Turla) and Sunburst (Dark Halo) acquired the malware from a solitary source, the engineers of Kazuar could have moved to another group with their toolset or the Sunburst engineers intentionally presented these connections as “bogus banner” to mislead researchers to another group.

The shared traits divided among the two malware incorporate the utilization of a dozing calculation to remain lethargic for an arbitrary period between associations with a C2 worker, the broad use of the FNV-1a hash to jumble the noxious code, and the utilization of a hashing calculation to produce one of a kind casualty identifiers. While Kazuar haphazardly chooses a resting period somewhere in the range of two weeks or a month between C2 associations, Sunburst arbitrarily selects a dozing period somewhere in the range of 12 and 14 days prior to communicating the server for beginning observations. In any case, specialists noticed that the recipe used to figure the dozing time stays the same for both.

Kazuar is a complete feature embedded backdoor that was composed in .NET (dot net) framework and completely depends on the common-and-control server (C2 server) to permit the attackers to communicate and interact with the subject system and extract all possible information. Features of Kazuar run the common spyware gamut with the help of executing malicious commands, storing screenshots, and using a plugin command to add and perform more functionalities.

Palo Alto Networks’ Unit 42 group likely connected this instrument to the Russian dangerous threat group Turla (otherwise known as Uroburos and Snake) in light of the way that the “code lineage in Kazuar can be traced back to at least 2005.” Furthermore, on November 18, 2020, Kazuar received a total upgrade with a complete new keylogger and secret password-taking capacities added to the backdoor in the form of a command for the Command-and-control server. While it’s typical for attackers to continue to refresh their toolset and acquaint highlights planned to dodge endpoint recognition and response (EDR) frameworks, Kaspersky specialists raised the likelihood that the progressions may have been acquainted accordingly with the SolarWinds breach. The researchers said that “Suspecting the SolarWinds attack might be discovered, the Kazuar code was changed to resemble the Sunburst backdoor as little as possible”.

A week ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), together with the Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), gave a joint assertion officially denouncing an attacker “likely Russian in origin” for organizing the SolarWinds supply chain attack. In another update by CISA on January 06, it was stated that “incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services”.

Researchers from Kaspersky finished up by saying that “these code overlaps between Kazuar and Sunburst are interesting and represent the first potential identified link to a previously known malware family”, “While Kazuar and Sunburst may be related, the nature of this relation is still not clear. Through further analysis, it is possible that evidence conforming to one or several of these points might arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag”.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.