• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
turla updates kazuar backdoor with advanced anti analysis to evade detection

Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Evade Detection

You are here: Home / General Cyber Security News / Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Evade Detection
November 1, 2023

The Russia-connected hacking crew recognized as Turla has been observed working with an up-to-date edition of a regarded 2nd-stage backdoor referred to as Kazuar.

The new results occur from Palo Alto Networks Unit 42, which is tracking the adversary beneath its constellation-themed moniker Pensive Ursa.

“As the code of the upgraded revision of Kazuar reveals, the authors put distinctive emphasis on Kazuar’s capacity to operate in stealth, evade detection and thwart investigation attempts,” security scientists Daniel Frank and Tom Fakterman said in a specialized report.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“They do so employing a wide range of innovative anti-examination methods and by safeguarding the malware code with successful encryption and obfuscation techniques.”

Pensive Ursa, active since at least 2004, is attributed to the Russian Federal Security Provider (FSB). Previously this July, the Personal computer Crisis Reaction Staff of Ukraine (CERT-UA) implicated the risk group to attacks targeting the protection sector in Ukraine and Eastern Europe with backdoors these as DeliveryCheck and Kazuar.

Cybersecurity

Kazuar is a .NET-centered implant that initially came to light-weight in 2017 for its skills to stealthily interact with compromised hosts and exfiltrate facts. In January 2021, Kaspersky highlighted supply code overlaps in between the malware strain and Sunburst, a further backdoor applied in conjunction with the SolarWinds hack of 2020.

The enhancements to Kazuar indicate that the danger actor guiding the operation continues to evolve its attack techniques and mature in sophistication, although increasing its capability to regulate victims’ devices. This contains the use of strong obfuscation and custom string encryption strategies to evade detection.

“Kazuar operates in a multithreading product, while just about every of Kazuar’s most important functionalities operates as its individual thread,” the researchers described.

Anti-Analysis to Evade Detection

“In other words, one particular thread handles obtaining instructions or duties from its [command-and-control], even though a solver thread handles execution of these commands. This multithreading product permits Kazuar’s authors to set up an asynchronous and modular circulation management.”

The malware supports a wide array of characteristics – leaping from 26 commands in 2017 to 45 in the most up-to-date variant – that facilitates extensive system profiling, facts collection, credential theft, file manipulation, and arbitrary command execution.

It also incorporates capabilities to established up automatic jobs that will run at specified intervals to gather method data, take screenshots, and grab data files from certain folders. Communication with C2 servers usually takes location in excess of HTTP.

Cybersecurity

“In addition to direct HTTP conversation with the C2, Kazuar has the skill to purpose as a proxy, to get and send out commands to other Kazuar brokers in the infected network,” the researchers said.

“It is doing this proxy conversation by using named pipes, building their names dependent on the machine’s GUID. Kazuar uses these pipes to build peer-to-peer conversation among unique Kazuar occasions, configuring every single as a server or a customer.”

What is actually more, the comprehensive anti-assessment functionalities lends Kazuar a significant degree of stealth, guaranteeing it stays idle and ceases all C2 conversation if it is getting debugged or analyzed.

The advancement comes as Kaspersky exposed that a variety of condition and industrial companies in Russia were targeted with a custom Go-based backdoor that performs knowledge theft as part of a spear-phishing campaign that commenced in June 2023. The menace actor guiding the operation is currently unidentified.

Located this post attention-grabbing? Adhere to us on Twitter  and LinkedIn to study far more unique content we submit.


Some areas of this posting are sourced from:
thehackernews.com

Previous Post: «alert: f5 warns of active attacks exploiting big ip vulnerability Alert: F5 Warns of Active Attacks Exploiting BIG-IP Vulnerability
Next Post: North Korean Hackers Tageting Crypto Experts with KANDYKORN macOS Malware north korean hackers tageting crypto experts with kandykorn macos malware»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. – Dutch Operation
  • OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities
  • Initial Access Brokers Target Brazil Execs via NF-e Spam and Legit RMM Trials
  • Deploying AI Agents? Learn to Secure Them Before Hackers Strike Your Business
  • Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Beyond Vulnerability Management – Can You CVE What I CVE?
  • Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • 38,000+ FreeDrain Subdomains Found Exploiting SEO to Steal Crypto Wallet Seed Phrases
  • SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

Copyright © TheCyberSecurity.News, All Rights Reserved.