Connections Within Sunburst and Russian Kazuar Malware Founded

Connections Within Sunburst and Russian Kazuar Malware Founded

On December 13, 2020, FireEye reported a supply chain attack the leverage the Orion IT and attacked over multiple organization of the United States. This entire attack is very sophisticated and remarkable from many points of views that include the stealthiness, precision, targeting, and the malware-hosting by attackers. FireEye named this attack Sunburst backdoor.

But, after investigation, the researchers found that the backdoor used in the SolarWinds hack is connected to the previously malware attack.

According to experts, it is discovered that the SolarWinds backdoor is similar to another backdoor know as Kazuar (.NET based malware reported by Palo Alto Networks in 2017).

Kazura is the tool used during the previous Turla operations and according to the experts, it consists of several features that are the same as the malware used to target in SolarWinds attack.

FBI, CISA, and the NSA also said that a Russian group is likely behind this SolarWinds attack.

According to the experts, some question highlighted after this investigation;

Did Sunburst develop by the same group as Kazuar do? Why Sunburst developers use the same ideas or the code from Kazuar? Did they are connected?

To know about these questions read the upcoming section that describes the similarities between Kazuar and Sunburst!

Relationships Between Sunburst and Kazuar

Relationships Between Sunburst and Kazuar

The SolarWinds backdoor has contained the similar feature that Kazuar holds like;

Both Sunburst and Kazuar were designed and developed by the same group. The group behind the Sunburst backdoor used Kazuar as an inspiration and obtained the malware from the single source.

The developers of Kazuar moved to another team and used their toolset while developing the Sunburst backdoor.

The common things between these two malware include the sleeping algorithm to stay for a random period, and established the connection to a C2 server that enhances the usage of FNV-1a hash to obtain the malicious code.

Both these backdoor select the sleeping period, whereas Kazuar executes in between 2 to 4 weeks and establish the C2 connection, while the Sunburst takes 12 to 14 days before establishing the connection to a server.

Sleeping Algorithm Of Kazuar and Sunburst backdoor

Whereas the experts also say that the Kazuar is possibly connected to Turla to know this in detail go through the mentioned section below.

How Kazuar’s is Combined With Turla?

Kazuar backdoor is created using the .NET framework and establishes a command-and-control connection which allows the attackers to interact with compromised systems and extract data.

The Kazuar’s backdoor has the capabilities to execute the typical spyware and support various commands like capturing screenshots and it also deploys additional functionalities via a plunging command.

Whereas the Palo Alto Networks indicates that the tool is linked to Russian hackers group Turla based on the research that code used in Kazuar is been traced back in 2005

On November 18, 2020, the Kazuar backdoor is undergone and it gets completely redesigned with new password and key-logger functions that are implemented in the form of a command-and-control server.

It is possible that the attacker used an updated version and also introduces the new features to bypass the endpoint detection that was introduced in the SolarWinds attack.

The researchers also said that the “The group in SolarWinds attack is might be used the updated version, as the Kazuar code was changed and reused in Sunburst backdoor attack is possible”

Know CISA Updates After Investigation?

Last week the U.S security agency along with FBI and other Offices of ODNI, NSA issued a joint statement for SolarWinds Sunburst Backdoor Hack,

They also say that this code overlaps the Kazuar and connected with Sunburst is the interesting part along with that it represented the potential identified link to another part of malware used in previous attacks.

Whereas CISA also issued an update on 6th January 2021 said that the hacker responsible for this incident have identified likewise they are connected with the Kazuar malware attack. In these cases, the attacker wants to obtained password guessing, unauthorized access, and stealing administrative credentials via C2 connection.

The relation between Sunburst and Kazuar is not clear yet. It required more time to do proper analysis and it is possible that the developers used Kazuar code and they are very good at it. The attackers didn’t make any mistake while executing this entire operation said CISA.

Leave a Reply