The Russian state-sponsored hacking group often known as
Turla
has reworked its customized backdoor Kazuar right into a modular peer-to-peer (P2P) botnet that is engineered for stealth and chronic entry to compromised hosts.
Turla, per the U.S. Cybersecurity and Infrastructure Safety Company (CISA), is assessed to be affiliated with Middle 16 of Russia’s Federal Safety Service (FSB). It overlaps with exercise traced by the broader cybersecurity neighborhood below the names ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (previously Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH.
The hacking group is thought for its assaults concentrating on authorities, diplomatic, and protection sectors in Europe and Central Asia, in addition to
endpoints beforehand breached by Aqua Blizzard
(aka Actinium and Gamaredon) to help the Kremlin’s strategic goals.
“This improve aligns with Secret Blizzard’s broader goal of gaining long-term entry to methods for intelligence assortment,” the Microsoft Risk Intelligence crew
stated
in a report revealed Thursday. “Whereas many menace actors depend on rising utilization of native instruments (living-off-the-land binaries (LOLBins)) to keep away from detection, Kazuar’s development right into a modular bot highlights how Secret Blizzard is engineering resilience and stealth immediately into their tooling.”
A key instrument in Turla’s arsenal is
Kazuar
, a
refined .NET backdoor
that has been persistently put to make use of since 2017. The newest findings from Microsoft charts its evolution from a “monolithic” framework right into a modular bot ecosystem that includes three distinct part varieties, every with its personal well-defined roles. These modifications allow versatile configuration, scale back observable footprint, and facilitate broad tasking.
 |
| Overview of Kernel, Bridge, and Employee module interactions |
Assaults distributing the malware have been discovered to depend on droppers like Pelmeni and ShadowLoader to decrypt and launch the modules. The three module varieties that kind the inspiration for Kazuar’s structure are listed under –
-
Kernel
, which acts because the central coordinator for the botnet by issuing duties to Employee modules, manages communication with the Bridge module, maintains logs of actions and picked up knowledge, performs anti-analysis and sandbox checks, and units up the surroundings via a configuration that specifies varied parameters associated to command-and-control (C2) communication, knowledge exfiltration timing, activity administration, file scanning and assortment, and monitoring. -
Bridge
, which acts as a proxy between the chief Kernel module and the C2 server. -
Employee
, which logs keystrokes, hooks Home windows occasions, tracks duties, and gathers system info, file listings, and Messaging Utility Programming Interface (
MAPI
) particulars.
The Kernel module sort exposes three inner communication mechanisms (by way of Home windows Messaging, Mailslot, and named pipes) and three completely different strategies for contacting attacker-controlled infrastructure (by way of Trade Net Companies, HTTP, and WebSockets). The part additionally “elects” a single Kernel chief to speak with the Bridge module on behalf of the opposite Kernel modules.
 |
| How the Kernel chief coordinates Employee tasking and makes use of the Bridge |
“Elections happen over Mailslot, and the chief is elected based mostly on the quantity of labor (size of time the Kernel module has been working) divided by interrupts (reboots, logoffs, course of terminated),” Microsoft defined. “As soon as a frontrunner is elected, it broadcasts itself because the chief and tells all different Kernel modules to set SILENT. Solely the elected chief isn’t SILENT, which permits the chief Kernel module to log exercise and request duties by means of the Bridge module.”
One other perform of the module is to provoke varied threads to arrange a named pipe channel between Kernel modules for inter-Kernel communications, specify an exterior communication technique, in addition to facilitate Kernel-to-Employee and Kernel-to-Bridge communication over Home windows messaging or Mailslot.
The tip objective of the Kernel is to ballot new duties from the C2 server, parse incoming messages, assign duties to the Employee, replace configuration, and ship the outcomes of the duties again to the server. Moreover, the module incorporates a activity handler that makes it doable to course of instructions issued by the Kernel chief.
Information collected by the Employee module is then aggregated, encrypted, and written to the malware’s working listing, from the place it is exfiltrated to the C2 server.
“Kazuar makes use of a devoted working listing as a centralized on-disk staging space to help its inner operations throughout modules,” Microsoft stated. “This listing is outlined by means of configuration and is persistently referenced utilizing absolutely certified paths to keep away from ambiguity throughout execution contexts.”
“Throughout the working listing, Kazuar organizes knowledge by perform, isolating tasking, assortment output, logs, and configuration materials into distinct places. This design permits the malware to decouple activity execution from knowledge storage and exfiltration, keep operational state throughout restarts, and coordinate asynchronous exercise between modules whereas minimizing direct interplay with exterior infrastructure.”
