S0265 Kazuar
Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. 1
| Item | Value |
|---|---|
| ID | S0265 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 17 October 2018 |
| Last Modified | 02 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Kazuar gathers information on local groups and members on the victim’s machine.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.1 |
| enterprise | T1071.002 | File Transfer Protocols | Kazuar uses FTP and FTPS to communicate with the C2 server.1 |
| enterprise | T1010 | Application Window Discovery | Kazuar gathers information about opened windows.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Kazuar adds a sub-key under several Registry run keys.1 |
| enterprise | T1547.009 | Shortcut Modification | Kazuar adds a .lnk file to the Windows startup folder.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Kazuar uses cmd.exe to execute commands on the victim’s machine.1 |
| enterprise | T1059.004 | Unix Shell | Kazuar uses /bin/bash to execute commands on the victim’s machine.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Kazuar can install itself as a new service.1 |
| enterprise | T1485 | Data Destruction | Kazuar can overwrite files with random data before deleting them.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Kazuar encodes communications to the C2 server in Base64.1 |
| enterprise | T1005 | Data from Local System | Kazuar uploads files from a specified directory to the C2 server.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Kazuar stages command output and collected data in files before exfiltration.1 |
| enterprise | T1008 | Fallback Channels | Kazuar can accept multiple URLs for C2 servers.1 |
| enterprise | T1083 | File and Directory Discovery | Kazuar finds a specified directory, lists the files and metadata about those files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Kazuar can delete files.1 |
| enterprise | T1105 | Ingress Tool Transfer | Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.1 |
| enterprise | T1027 | Obfuscated Files or Information | Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | Kazuar gathers information about local groups and members.1 |
| enterprise | T1057 | Process Discovery | Kazuar obtains a list of running processes through WMI querying and the ps command.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | Kazuar has used internal nodes on the compromised network for C2 communications.2 |
| enterprise | T1029 | Scheduled Transfer | Kazuar can sleep for a specific time and be set to communicate at specific intervals.1 |
| enterprise | T1113 | Screen Capture | Kazuar captures screenshots of the victim’s screen.1 |
| enterprise | T1082 | System Information Discovery | Kazuar gathers information on the system and local drives.1 |
| enterprise | T1016 | System Network Configuration Discovery | Kazuar gathers information about network adapters.1 |
| enterprise | T1033 | System Owner/User Discovery | Kazuar gathers information on users.1 |
| enterprise | T1125 | Video Capture | Kazuar captures images from the webcam.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Kazuar has used compromised WordPress blogs as C2 servers.1 |
| enterprise | T1047 | Windows Management Instrumentation | Kazuar obtains a list of running processes through WMI querying.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 13 |
References
-
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. ↩
-
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. ↩