Researchers have discovered a backdoor Trojan called Kazuar. Kazuar was found to be linked to an espionage campaign and appears to be written with the Microsoft .NET Framework. Kazuar allows attackers to gain complete access to a compromised system.

Kazuar has several potential functions and commands, including the ability to load plugins remotely. These plugins give the Trojan greater capabilities and make it more of a threat. There was also code in the observed strain that suggested there were Linux and Mac versions of Kazuar out there in the world. One thing that stands out about Kazuar is that it works through an Application Programming Interface (API) connected to a web server, and it may be the first – and only – virus to act in such a way.

Who is Behind Kazuar?

Researchers believe that Kazuar is linked to Turla, an APT (Advanced Persistent Threat) group, also known to operate under the names Snake and Uroburos. Turla is known for its advanced capabilities and being a long-standing Russian-based cyber threat group with alleged ties to the Russian Federal Security Service (FSB). The group targets embassies, educational institutions, defense contractors, and research organizations with their attacks. Turla has something of a signature in their code that identifies tools as theirs, and the code used for Kazuar can be traced back to 2005, at the least.

Turla has used a number of tools in their time, most of which are deployed at the second stage of attacks within compromised environments. Kazuar could be one new way that the Turla group is handling operations.

What Does Kazuar Do?

Kazuar is a backdoor Trojan, which is one of the largest categories of digital threats. Backdoor Trojans can be expensive and comprehensive programs with a range of capabilities, or they could be simple programs that do nothing but ping a server. Kazuar, in particular, named for the cassowary bird of Southeast Asia, is more of a traditional backdoor Trojan. While Kazuar is relatively basic, it does have some hidden features that make it more of a threat than typical backdoor Trojans like PowerStallion or Neuron.

Kazuar sets out to avoid being detected as Turla hackers gather intelligence from their targets. Even though Kazuar is a .NET Framework application, it also has features that make it compatible with Mac and Unix/Linux systems. So far, however, only Windows variants have been spotted in the wild.

Take a look at the code for Kazuar, and you'll see just how much work was put into this virus. Kazuar has an enhanced setup routine and is able to adapt to vulnerable computers by establishing persistence through a number of methods. The virus creates DLLs and exploits Windows services and .NET Framework functions to stay on a computer. Once the virus is up and running, it will give the attacker information about the target computer and let them take control. Attackers are able to upload files, take screenshots, activate webcams, copy data, launch executable files, and perform other tasks through optional modules.

It's worth taking note of the API feature. Viruses like this primarily connect to Command and Control servers (C2 servers) and wait for instructions. Kazuar stands out because it can create an always-listening Web server that helps the virus avoid firewalls and anti-malware detections.

How Does Kazuar Infect Computers?

The Kazuar malware infects computers through several different methods. The most common are malicious software bundles, email spam, network sharing, malicious links, and accessing infected flash drives. Kazuar is sure to cause a massive amount of damage once it gets on your computer.

Victims have reported having to deal with hard drive failure, frequent crashes, corrupted applications, and more. That's to say nothing of the actual harm it could do in terms of financial loss or identity theft. You should take steps to protect yourself against Kazuar and remove any infection as soon as you can.

Upon infecting a targeted device, the Kazuar malware would collect some information regarding the software and hardware of the infected host. Furthermore, the Kazuar threat would generate a unique mutex based on the serial ID of the hard disk and the active user's username. This step of the attack serves to detect whether there are two variants of the Kazuar malware running on the infected computer. Once this is completed, the Kazuar malware will proceed with the attack by gaining persistence on the host. This is achieved by modifying the system's Windows Registry. Next, the Kazuar malware would connect to the C&C (Command & Control) server of its operators and wait to be given commands by them. Among the main features of the Kazuar malware is:

  • Taking screenshots of the user's active windows and desktop.
  •  Downloading files.
  •  Uploading files.
  •  Recording footage via the system's camera.
  •  Managing running processes.
  •  Executing remote commands.
  •  Listing and managing active plugins of the threat.
  •  Updating itself and its list of C&C servers.
  •  Self-destructing.

This long list of capabilities allows the Kazuar malware to cause significant damage to any system it manages to infiltrate. Since it is likely that the creators of the Kazuar threat are working on an OSX-compatible iteration of this malware, even more users will be at risk. To protect your system from pests like the Kazuar threat, make sure to download and install a genuine anti-malware software suite that will take care of your cybersecurity and keep your data safe.

Turla Deploys New Kazuar Variant against Targets in Ukraine

Since its initial detection in 2017, Kazuar has surfaced sporadically in the wild, primarily affecting organizations within European governmental and military spheres. Its connection to the Sunburst backdoor, evidenced by code similarities, underscores its sophisticated nature. While no new Kazuar samples have emerged since late 2020, reports suggested ongoing development efforts in the shadows.

Analysis of the updated Kazuar code highlights a concerted effort by its creators to enhance its stealth capabilities, evade detection mechanisms, and thwart analysis endeavors. This is achieved through a range of advanced anti-analysis methods coupled with robust encryption and obfuscation techniques to safeguard the integrity of the malware code.

The Core Functionality of the New Kazuar Malware Variant

In typical Turla fashion, Kazuar employs a strategy of utilizing hijacked legitimate websites for its Command and Control (C2) infrastructure, thus evading takedowns. Additionally, Kazuar facilitates communication over named pipes, utilizing both methods to receive remote commands or tasks.

Kazuar boasts support for 45 distinct tasks within its C2 framework, representing a notable advancement in its functionality compared to earlier versions. Previous research had not documented some of these tasks. In contrast, the initial variant of Kazuar analyzed in 2017 supported only 26 C2 commands.

Kazuar's list of recognized commands spans various categories, including:

  • Host data collection
  • Extended forensic data gathering
  • File manipulation
  • Execution of arbitrary commands
  • Interacting with Kazuar's configuration settings
  • Querying and manipulating the Windows registry
  • Execution of scripts (VBS, PowerShell, JavaScript)
  • Sending custom network requests
  • Theft of credentials and sensitive information

Data Theft Remains Among the Top Priorities for Turla

Kazuar possesses the capability to harvest credentials from various artifacts within the compromised computer, triggered by commands such as 'steal' or 'unattend' received from the Command-and-Control (C2) server. These artifacts encompass numerous well-known cloud applications.

Furthermore, Kazuar can target sensitive files containing credentials associated with these applications. Among the targeted artifacts are Git SCM (a popular source control system among developers) and Signal (an encrypted messaging platform for private communication).

Upon spawning a unique solver thread, Kazuar automatically initiates an extensive system profiling task, dubbed 'first_systeminfo_do' by its creators. This task entails the thorough collection and profiling of the targeted system. Kazuar gathers comprehensive information about the infected machine, including details about the operating system, hardware specifications, and network configuration.

The data collected is stored in an 'info.txt' file, while execution logs are saved in a 'logs.txt' file. Additionally, as part of this task, the malware captures a screenshot of the user's screen. All collected files are then bundled into a single archive, encrypted, and dispatched to the C2.

Kazuar Establishes Multiple Automated Tasks on the Infected Devices

Kazuar possesses the capability to establish automated procedures that execute at predefined intervals for the purpose of retrieving data from compromised systems. These automated tasks encompass a range of functions, including gathering comprehensive system information as detailed in the section on Comprehensive System Profiling, capturing screenshots, extracting credentials, retrieving forensics data, acquiring auto-runs data, obtaining files from designated folders, compiling a list of LNK files, and pilfering emails through the use of MAPI.

These functionalities enable Kazuar to conduct systematic surveillance and data extraction from infected machines, empowering malicious actors with a plethora of sensitive information. By leveraging these automated tasks, Kazuar streamlines the process of reconnaissance and data exfiltration, enhancing its effectiveness as a tool for cyber espionage and malicious activity.

The Updated Kazuar Malware Is Equipped with Extensive Anti-Analysis Capabilities

Kazuar employs a variety of sophisticated anti-analysis techniques meticulously designed to evade detection and scrutiny. Programmed by its creators, Kazuar dynamically adjusts its behavior based on the presence of analysis activities. When it determines that no analysis is underway, Kazuar proceeds with its operations. However, if it detects any indication of debugging or analysis, it immediately enters an idle state, halting all communication with its Command and Control (C2) server.


Given that Kazuar operates as an injected component within another process rather than as an autonomous entity, the prospect of extracting its code from the host process's memory looms. To counteract this vulnerability, Kazuar makes adept use of a robust feature within .NET, the System.Reflection Namespace. This capability grants Kazuar the agility to retrieve metadata pertaining to its assembly, methods dynamically, and other critical elements in real-time, fortifying its defenses against potential code extraction endeavors.

Additionally, Kazuar implements a defensive measure by scrutinizing whether the antidump_methods setting is enabled. In such cases, it overrides pointers to its bespoke methods while disregarding generic .NET methods, effectively erasing them from memory. As evidenced by Kazuar's logged message, this proactive approach serves to hinder researchers from extracting an intact version of the malware, thereby enhancing its resilience against analysis and detection.

Honeypot Check

Among its initial tasks, Kazuar diligently scans for any signs of honeypot artifacts on the target machine. To accomplish this, it references a predefined list of process names and filenames, employing a hardcoded approach. Should Kazuar encounter more than five instances of these specified files or processes, it promptly records the discovery as indicative of a honeypot presence.

Analysis Tools Check

Kazuar maintains a list of predefined names representing various widely used analysis tools. It systematically reviews the roster against the active processes on the system. Upon detecting the operation of any of these tools, Kazuar promptly registers the finding, indicating the presence of analysis tools.

Sandbox Check

Kazuar possesses a set of predetermined sandbox libraries hardcoded into its system. It conducts scans to identify specific DLLs associated with various sandbox services. Upon encountering these files, Kazuar concludes that it is running within a laboratory environment, prompting it to cease its operations.

Event Log Monitor

Kazuar systematically gathers and interprets events recorded in the Windows event logs. It specifically targets events originating from a selection of anti-malware and security vendors. This deliberate focus aligns with its strategy of monitoring activities associated with widely used security products under the plausible assumption that these tools are prevalent among potential targets.

The Kazuar Malware Continues to Represent a Major Threat in the Digital Space

The latest variant of the Kazuar malware, recently identified in the wild, showcases several notable attributes. It incorporates robust code and string obfuscation techniques alongside a multithreaded model for enhanced performance. Furthermore, a range of encryption schemes is implemented to safeguard Kazuar's code from analysis and to conceal its data, whether in memory, during transmission, or on disk. These features collectively aim to endow the Kazuar backdoor with a heightened level of stealth.

Additionally, this iteration of the malware exhibits sophisticated anti-analysis functionalities and extensive system profiling capabilities. Its specific targeting of cloud applications is noteworthy. Moreover, this version of Kazuar boasts support for an extensive array of over 40 distinct commands, with half of them previously undocumented by cybersecurity researchers.

How to Protect against Kazuar

As with any kind of threat, the main thing you can do to protect your computer is to avoid opening email attachments and links. Don't interact with the email if you don't know where it has come from. Also, make sure to back up your most important data regularly. It helps to have multiple backups, too, as the more backups you have, the higher your chances of getting things back to normal in the event of Kazuar or another malware.

Last but not least, you want to make sure that all of your programs and applications are up to date. Don't forget to update your operating system too regularly. Computer threats thrive through exploits in operating systems and software, so don't let them linger.


Most Viewed