Skip to content

S0265 Kazuar

Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. 1

Item Value
ID S0265
Associated Names
Type MALWARE
Version 1.3
Created 17 October 2018
Last Modified 02 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Kazuar gathers information on local groups and members on the victim’s machine.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.1
enterprise T1071.002 File Transfer Protocols Kazuar uses FTP and FTPS to communicate with the C2 server.1
enterprise T1010 Application Window Discovery Kazuar gathers information about opened windows.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Kazuar adds a sub-key under several Registry run keys.1
enterprise T1547.009 Shortcut Modification Kazuar adds a .lnk file to the Windows startup folder.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Kazuar uses cmd.exe to execute commands on the victim’s machine.1
enterprise T1059.004 Unix Shell Kazuar uses /bin/bash to execute commands on the victim’s machine.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Kazuar can install itself as a new service.1
enterprise T1485 Data Destruction Kazuar can overwrite files with random data before deleting them.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Kazuar encodes communications to the C2 server in Base64.1
enterprise T1005 Data from Local System Kazuar uploads files from a specified directory to the C2 server.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Kazuar stages command output and collected data in files before exfiltration.1
enterprise T1008 Fallback Channels Kazuar can accept multiple URLs for C2 servers.1
enterprise T1083 File and Directory Discovery Kazuar finds a specified directory, lists the files and metadata about those files.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Kazuar can delete files.1
enterprise T1105 Ingress Tool Transfer Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.1
enterprise T1027 Obfuscated Files or Information Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Kazuar gathers information about local groups and members.1
enterprise T1057 Process Discovery Kazuar obtains a list of running processes through WMI querying and the ps command.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Kazuar has used internal nodes on the compromised network for C2 communications.2
enterprise T1029 Scheduled Transfer Kazuar can sleep for a specific time and be set to communicate at specific intervals.1
enterprise T1113 Screen Capture Kazuar captures screenshots of the victim’s screen.1
enterprise T1082 System Information Discovery Kazuar gathers information on the system and local drives.1
enterprise T1016 System Network Configuration Discovery Kazuar gathers information about network adapters.1
enterprise T1033 System Owner/User Discovery Kazuar gathers information on users.1
enterprise T1125 Video Capture Kazuar captures images from the webcam.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Kazuar has used compromised WordPress blogs as C2 servers.1
enterprise T1047 Windows Management Instrumentation Kazuar obtains a list of running processes through WMI querying.1

Groups That Use This Software

ID Name References
G0010 Turla 13

References