The notorious Russian-linked cybercriminal organisation called Turla has reemerged in the threat landscape equipped with a new and improved version of the Kazuar backdoor.
Based on reports, the Turla hacking group have been dormant in the past few months, indicating that they are enhancing the malicious tools that they would use in their return to the cybercriminal scene. Recent findings show that they have upgraded their stealthy malware, which had been inactive for years.
The newly upgraded Kazuar backdoor has retained its previous command and included several new operations.
According to investigations, the updated variant of the Kazuar backdoor is a formidable weapon for Turla. It has an impressive arsenal of over 40 commands, with half never seen before.
These commands enable the attackers to engage in various malicious activities, including stealing sensitive data from web browsers, capturing screenshots from victim’s systems, gathering system information, manipulating files, and executing VBScript and PowerShell scripts.
However, these commands are not the only upgrades the backdoor received since the latest Kazuar variant incorporates robust code and string obfuscation techniques, enhancing its ability to evade detection.
Additionally, the malware developers included a multithread model to ensure the backdoor’s superior performance, while a range of encryption schemes protect the stolen data during transmission to C2 servers.
The malware even leverages a peer-to-peer communication technique known as ‘named pipes,’ enabling its operators to coordinate between different instances of Kazuar seamlessly.
Kazuar first emerged on the cyber scene in 2017, but it remained inactive until recently. In July, Ukraine-CERT revealed the details of a phishing campaign that employed Kazuar and the Capibar malware to target the Ukrainian military. In this operation, Kazuar focused on stealing credentials, while Capibar was responsible for intelligence gathering.
The resurgence of the Kazuar backdoor shows how the Turla threat group operates and upgrades its malicious tools elusively. The group’s expansion of its arsenal has allowed it to execute high-profile attacks, which have targeted international government agencies.
Organisations must remain vigilant in detecting and blocking threats that endanger their critical assets and infrastructures.
