Russian hackers turn Kazuar backdoor into modular P2P botnet

Russian hacker group Secret Blizzard developed the long-running Kazuar backdoor right into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and information assortment.

Secret Blizzard’s actions overlap with these of Turla, Uroburos, and Venomous Bear, are related to the Russian Intelligence Service (FSB), and are recognized to focus on authorities and diplomatic organizations, protection organizations, and demanding programs throughout Europe, Asia, and Ukraine.

The Katar malware has been documented since 2017, and researchers found that its code lineage dates again to 2005. Its actions are related to the Turla spy group working for the FSB.

In 2020, researchers revealed that this device was being deployed in assaults concentrating on European authorities companies. Three years later, it was seen deployed in an assault in opposition to Ukraine.

“Chief” Kazuar

Microsoft researchers analyzed latest variants of Kazuar and noticed that the malware operates utilizing three completely different modules: kernel, bridge, and employee.

The kernel module is the central coordinator that manages duties, controls different modules, elects leaders, and coordinates communication and information circulation all through the botnet.

A pacesetter is actually one contaminated system inside a compromised atmosphere or community phase that communicates with a command and management (C2) server, receives duties, and forwards them internally to different contaminated programs.

Non-reader programs go into “silent” mode and don’t talk instantly with the C2. This will increase stealth and reduces the detection floor.

“The kernel reader is one elected kernel module that communicates with the bridge module on behalf of different kernel modules, lowering visibility by avoiding massive quantities of exterior visitors from a number of contaminated hosts,” Microsoft explains.

The method of choosing a pacesetter is inner and autonomous and makes use of uptime, restarts, and variety of interruptions.

The Bridge module acts as an exterior communication proxy that relays visitors between chosen kernel readers and distant C2 infrastructure utilizing protocols akin to HTTP, WebSockets, and Alternate Net Providers (EWS).

Inner communication depends on IPC (inter-process communication) akin to Home windows Messaging, mailslots, and named pipes, which mix nicely with regular working noise. Messages are encrypted with AES and serialized with Google Protocol Buffers (Protobuf).

The Employee module performs the precise espionage actions, akin to:

• keylogging
• Capturing a screenshot
• Gathering information from file programs
• Carry out system and community reconnaissance
• E-mail/MAPI information assortment (together with Outlook downloads)
• monitoring window
• steal latest recordsdata

The collected information is encrypted, domestically staged, and later exfiltrated by the Bridge module.

Microsoft highlights the flexibility of Kazuar, which presently helps 150 configuration choices, permitting operators to allow/disable particular safety bypasses, schedule duties, time information theft and regulate the dimensions of extraction chunks, carry out course of injections, handle process and command execution, and extra.

Concerning safety bypass choices, Kazuar presently gives Antimalware Scan Interface (AMSI) bypass, Occasion Tracing for Home windows (ETW) bypass, and Home windows Lockdown Coverage (WLDP) bypass.

Secret Blizzard sometimes requires long-term persistence on the right track programs to assemble info. This attacker steals the content material of politically delicate paperwork and emails.

Microsoft recommends that enterprises focus their defenses on behavioral detection fairly than static signatures, as Kazuar’s modular and extremely configurable nature makes it particularly simple to keep away from threats.