- Jul 22, 2014
- 2,525
Russian cyberspies have developed a new breed of backdoor trojan that features several novel techniques, including an API that allows attackers to reverse the C&C communications flow when needed.
This new threat came to light on Wednesday via two reports from Fox-IT and Palo Alto Networks, respectively.
In the malware's source code, its author referenced this tool as Kazuar, a word that means "cassowary" in several Slavic languages.
Researchers say Kazuar is coded in the .NET Framework and appears to have versions for all three major operating systems. The Palo Alto report analyzes Kazuar, the name given to the Windows version, while the Fox-IT report analyzes Snake, the name given to the Mac version. A Linux version has not been seen yet, but Palo Alto says there are clues in the Kazuar source code that hint at its existence.
Kazuar linked to the Turla APT
Both Fox-IT and Palo Alto have linked this backdoor to a cyber-espionage group called Turla, believed to be operating out of Russia, and who Kaspersky believes is linked to one of the first cyber-espionage groups ever spotted, the Moonlight Maze APT that was active as early as 1995, well over two decades ago.
According to both security firms, Kazuar appears to be a replacement for the Uroburos backdoor trojan, already ousted in 2014 by G Data researchers. It's very common for cyber-espionage groups to replace malware that has been detected by security researchers.
.....
In other words, Kazuar has the ability to reverse the flow of normal C&C server communications. Instead of infected hosts pinging the C&C server for new commands, an attacker can ping the victim whenever he wants and send new instructions.
This approach has two main benefits. First, it allows the attacker to migrate C&C servers at will, while secondly, it allows the malware to bypass some security solutions which keep a closer eye on outbound connections to suspicious domains, and not for incoming connections.
....
This new threat came to light on Wednesday via two reports from Fox-IT and Palo Alto Networks, respectively.
In the malware's source code, its author referenced this tool as Kazuar, a word that means "cassowary" in several Slavic languages.
Researchers say Kazuar is coded in the .NET Framework and appears to have versions for all three major operating systems. The Palo Alto report analyzes Kazuar, the name given to the Windows version, while the Fox-IT report analyzes Snake, the name given to the Mac version. A Linux version has not been seen yet, but Palo Alto says there are clues in the Kazuar source code that hint at its existence.
Kazuar linked to the Turla APT
Both Fox-IT and Palo Alto have linked this backdoor to a cyber-espionage group called Turla, believed to be operating out of Russia, and who Kaspersky believes is linked to one of the first cyber-espionage groups ever spotted, the Moonlight Maze APT that was active as early as 1995, well over two decades ago.
According to both security firms, Kazuar appears to be a replacement for the Uroburos backdoor trojan, already ousted in 2014 by G Data researchers. It's very common for cyber-espionage groups to replace malware that has been detected by security researchers.
.....
In other words, Kazuar has the ability to reverse the flow of normal C&C server communications. Instead of infected hosts pinging the C&C server for new commands, an attacker can ping the victim whenever he wants and send new instructions.
This approach has two main benefits. First, it allows the attacker to migrate C&C servers at will, while secondly, it allows the malware to bypass some security solutions which keep a closer eye on outbound connections to suspicious domains, and not for incoming connections.
....
