Researchers at Unit 42 have discovered a backdoor Trojan they have called Kazuar. Kazuar was found to be linked to an espionage campaign and appears to be written with the Microsoft .NET Framework. Kazuar allows attackers to gain complete access over a compromised system.
Kazura comes equipped with several potential functions and commands, including the ability to load plugins remotely. These plugins give the Trojan greater capabilities and make it more of a threat. There was also code in the observed strain that suggested there were Linux and Mac versions of Kazuar out there in the world. One thing that stands out about Kazuar is that it works through an Application Programming Interface (API) connected to a web-server, and it may be the first – and only – virus to act in such a way.
Who is Behind Kazuar?
Unit 42 believes that Kazuar could be linked to Turla, a threat actor group, also known to operate under the names Snake and Uroburos. The group target embassies, educational institutions, defense contractors, and research organizations with their attacks. Turla has something of a signature in their code that identifies tools as theirs, and the code used for Kazuar can be traced back to 2005 at the least.
If the hypothesis is right and Turla is indeed behind Kazuar, then the group could be using the tool to replace Carbon and similar viruses. Turla has used a number of tools in their time, most of which are deployed at the second-stage of attacks within compromised environments. Kazuar could be one new way that the Turla group is handling operations.
What Does Kazuar Do?
Kazuar is a backdoor Trojan, which is one of the largest categories of digital threats. Backdoor Trojans can be expensive and comprehensive programs with a range of capabilities, or they could be simple programs that do nothing but ping a server. Kazuar, in particular, named for the cassowary bird of Southeast Asia, is more of a traditional backdoor Trojan. While Kazuar is relatively basic, it does have some hidden features that make it more of a threat than the typical backdoor Trojan like PowerStallion or Neuron.
Kazuar sets out to avoid being detected as Turla hackers gather intelligence from their targets. Even though Kazuar is a .NET Framework application, it also has features that make it compatible with Mac and Unix/Linux systems. So far, however, only Windows variants have been spotted in the wild.
Take a look at the code for Kazuar, and you’ll see just how much work was put into this virus. Kazuar has an enhanced setup routine and is able to adapt to vulnerable computers by establishing persistence through a number of methods. The virus creates DLLs, exploits Windows services, and .NET Framework functions to stay on a computer. Once the virus is up and running, it will give the attacker information about the target computer and let them take control. Attackers are able to upload files, take screenshots, activate webcams, copy data, launch executable files, and perform other tasks through optional modules.
It’s worth taking note of the API feature. Viruses like this primarily connect to Command and Control servers (C2 servers) and wait for instructions. Kazuar stands out because it can create an always-listening web server that helps the virus avoid firewalls and antivirus detections.
How Does Kazuar Infect Computers?
The Kazuar malware infects computers through several different methods. The most common are malicious software bundles, email spam, network sharing, malicious links, and accessing infected flash drives. Kazuar is sure to cause a massive amount of damage once it gets on your computer.
Victims have reported having to deal with hard drive failure, frequent crashes, corrupted applications, and more. That’s to say nothing of the actual harm it could do in terms of financial loss or identity theft. You should take steps to protect yourself against Kazuar and remove any infection as soon as you can.
Upon infecting a targeted device, the Kazuar malware would collect some information regarding the software and hardware of the infected host. Furthermore, the Kazuar threat would generate a unique mutex based on the serial ID of the hard disk and the active user's username. This step of the attack serves to detect whether there are two variants of the Kazuar malware running on the infected computer. Once this is completed, the Kazuar malware would proceed with the attack by gaining persistence on the host. This is achieved by modifying the system's Windows Registry. Next, the Kazuar malware would connect to the C&C (Command & Control) server of its operators and wait to be given commands by them. Among the main features of the Kazuar malware is:
- Taking screenshots of the user's active windows and desktop.
- Downloading files.
- Uploading files.
- Recording footage via the system's camera.
- Managing running processes.
- Executing remote commands.
- Listing and managing active plugins of the threat.
- Updating itself and its list of C&C servers.
This long list of capabilities allows the Kazuar malware to cause significant damage to any system it manages to infiltrate. Since it is likely that the creators of the Kazuar threat are working on an OSX-compatible iteration of this malware, even more users will be at risk. To protect your system from pests like the Kazuar threat, make sure to download and install a genuine anti-virus software suite that will take care of your cybersecurity and keep your data safe.
How to Protect Against Kazuar
As with any kind of virus, the main thing you can do to protect your computer is to avoid opening email attachments and links. If you don’t know where the email has come from, don’t interact with it. Also, make sure to keep a regular backup of your most important data. It helps to have multiple backups, too, as the more backups you have, the higher your chances of getting things back to normal in the event of Kazuar or another malware.
Last but not least, you want to make sure that all of your programs and applications are up to date. Don’t forget to update your operating system too regularly. Viruses thrive through exploits in operating systems and software, so don’t let them linger.