The Russia-linked hacking crew known as Turla has been observed using an updated version of a known second-stage backdoor referred to as Kazuar.
The new findings come from Palo Alto Networks Unit 42, which is tracking the adversary under its constellation-themed moniker Pensive Ursa.
“As the code of the upgraded revision of Kazuar reveals, the authors put special emphasis on Kazuar’s ability to operate in stealth, evade detection and thwart analysis efforts,” security researchers Daniel Frank and Tom Fakterman said in a technical report.
“They do so using a variety of advanced anti-analysis techniques and by protecting the malware code with effective encryption and obfuscation practices.”
Pensive Ursa, active since at least 2004, is attributed to the Russian Federal Security Service (FSB). Earlier this July, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated the threat group to attacks targeting the defense sector in Ukraine and Eastern Europe with backdoors such as DeliveryCheck and Kazuar.
Kazuar is a .NET-based implant that first came to light in 2017 for its abilities to stealthily interact with compromised hosts and exfiltrate data. In January 2021, Kaspersky highlighted source code overlaps between the malware strain and Sunburst, another backdoor used in conjunction with the SolarWinds hack of 2020.
The improvements to Kazuar indicate that the threat actor behind the operation continues to evolve its attack methods and grow in sophistication, while expanding its ability to control victims’ systems. This includes the use of robust obfuscation and custom string encryption methods to evade detection.
“Kazuar operates in a multithreading model, while each of Kazuar’s main functionalities operates as its own thread,” the researchers explained.
“In other words, one thread handles receiving commands or tasks from its [command-and-control], while a solver thread handles execution of these commands. This multithreading model enables Kazuar’s authors to establish an asynchronous and modular flow control.”
The malware supports a wide range of features – jumping from 26 commands in 2017 to 45 in the latest variant – that facilitates comprehensive system profiling, data collection, credential theft, file manipulation, and arbitrary command execution.
It also incorporates capabilities to set up automated tasks that will run at specified intervals to gather system data, take screenshots, and grab files from particular folders. Communication with C2 servers takes place over HTTP.
“In addition to direct HTTP communication with the C2, Kazuar has the ability to function as a proxy, to receive and send commands to other Kazuar agents in the infected network,” the researchers said.
“It is doing this proxy communication via named pipes, generating their names based on the machine’s GUID. Kazuar uses these pipes to establish peer-to-peer communication between different Kazuar instances, configuring each as a server or a client.”
What’s more, the extensive anti-analysis functionalities lends Kazuar a high degree of stealth, ensuring it remains idle and ceases all C2 communication if it is being debugged or analyzed.
The development comes as Kaspersky revealed that a number of state and industrial organizations in Russia were targeted with a custom Go-based backdoor that performs data theft as part of a spear-phishing campaign that commenced in June 2023. The threat actor behind the operation is currently unknown.