Researchers Find Links Between Sunburst and Russian Kazuar Malware


Cybersecurity researchers, for the particular first time, might have found the potential connection between the backdoor used in the particular SolarWinds hack in order to a previously known malware strain.

In new research released by Kaspersky researchers today, the particular cybersecurity firm said it discovered several features that overlap with another backdoor known as Kazuar , a. NET-based malware first documented by Palo Alto Networks in 2017.

Disclosed early last 30 days, the espionage campaign was notable to get its scale and stealth, with the attackers leveraging the rely on associated with SolarWinds Orion software to infiltrate government agencies and other companies so as in order to deploy a custom malware codenamed “Sunburst. ”

Shared Features Between Sunburst and Kazuar

Attribution for that SolarWinds supply-chain compromise has been challenging in part due to little-to-no clues linking the attack facilities to previous campaigns or some other well-known threat groups.

But Kaspersky’s newest analysis of the Sunburst backdoor provides revealed several shared features between the malware and Kazuar, leading the researchers to suspect that —

  • Each Sunburst and Kazuar were created by the same threat group
  • The adversary behind Sunburst used Kazuar as an inspiration
  • The groupings behind Kazuar (Turla) and Sunburst (UNC2452 or Dark Halo) obtained the malware from a solitary source
  • The designers of Kazuar moved to another team, taking their toolset with all of them, or
  • The particular Sunburst developers deliberately introduced these types of links as “false flag” to shift blame to another team

The characteristics shared between the two malware families include the use associated with a sleeping algorithm to stay dormant meant for a random period between connections to a C2 server, the extensive usage of the FNV-1a hash to obfuscate the malicious code, and the use of a hashing algorithm to create unique victim identifiers.

While Kazuar randomly selects a sleeping period in between two and four weeks in between C2 connections, Sunburst randomly opts for a resting period between twelve and 14 days before contacting the server for initial reconnaissance. But researchers noted that the particular formula used to calculate the particular sleeping time remains the same.

Kazuar’s Possible Hyperlinks to Turla

Kazuar is a fully featured backdoor written using the. NET Framework and relies on a command-and-control (C2) channel to allow actors to interact with the jeopardized system and exfiltrate data. Its features run the typical spyware and adware gamut, with support for running malicious commands, capture screenshots, and also deploy additional functionalities via a plugin command.

Palo Alto Networks’ Unit 42 group tentatively linked the tool to the particular Russian threat group Turla (aka Uroburos and Snake) based on the fact that the “code family tree in Kazuar can be traced back to at least 2005. ”

Exactly what is more, on November 18, 2020, Kazuar appears to have undergone a complete redesign with a new keylogger and password-stealing features added to the backdoor that is certainly implemented in the form associated with C2 server command.

While it’s normal for danger actors to keep updating their toolset and introduce features developed to bypass endpoint detection plus response (EDR) systems, Kaspersky experts raised the possibility that the changes may have been introduced in response to the SolarWinds breach.

“Suspecting the SolarWinds attack might be found out, the Kazuar code was changed to resemble the Sunburst backdoor less than possible, ” the researchers mentioned.

CISA Updates SolarWinds Advisory

Last 7 days, the U. S. Cybersecurity plus Infrastructure Security Agency (CISA), together with the Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security Company (NSA), issued the joint statement formally accusing an adversary “likely Russian in origin” for staging the SolarWinds hack.

Furthermore, CISA, in an update to its advisory on January 6, said, “incident response investigations have determined that initial access in some cases was obtained by security password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services. ”

“These code overlaps between Kazuar and Sunburst are interesting and represent the very first potential identified link to the previously known malware family, inch Kaspersky researchers concluded.

“While Kazuar and Sunburst may be related, the nature of this particular relation is still not clear. Through further analysis, it will be possible that proof confirming one or a number of these points might arise. At the exact same time, additionally it is possible that the Sunburst developers were really great at their opsec and did not make any mistakes, with this particular link being an elaborate false flag. ”