SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2023-10-31Palo Alto Networks Unit 42Daniel Frank, Tom Fakterman
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
Kazuar
2023-08-30Kaspersky LabsDavid Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal
2023-07-19Twitter (@MsftSecIntel)Microsoft Threat Intelligence
Tweet on targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard
DeliveryCheck Kazuar
2023-07-18Cert-UACert-UA
Targeted Turla attacks (UAC-0024, UAC-0003) using CAPIBAR and KAZUAR malware (CERT-UA#6981)
DeliveryCheck Kazuar
2023-04-24Kaspersky LabsIvan Kwiatkowski, Pierre Delcher
Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour Tomiris
2021-06-12YouTube (BSidesBoulder)Kaspersky, Kurt Baumgartner
Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-04-27KasperskyGReAT
APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-01-11Kaspersky LabsCostin Raiu, Georgy Kucherin, Igor Kuznetsov
Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2020-10-28AccentureCyber Defense
Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20230808 | Detects win.kazuar.)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.kazuar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 3d88ae6393 7506 498b4310 eb0f }
            // n = 5, score = 300
            //   e8????????           |                     
            //   3d88ae6393           | mov                 eax, dword ptr [ebp - 0x1c]
            //   7506                 | mov                 dword ptr [esp + 0xc], esi
            //   498b4310             | mov                 dword ptr [esp + 8], edi
            //   eb0f                 | mov                 dword ptr [esp], eax

        $sequence_1 = { e8???????? 4c8d4c2428 31d2 31c9 01c0 4c89442438 6689442430 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   4c8d4c2428           | test                eax, eax
            //   31d2                 | je                  0x58d
            //   31c9                 | lea                 edx, [ebp - 0xc]
            //   01c0                 | mov                 dword ptr [ebp - 0xc], 0
            //   4c89442438           | je                  0x5a8
            //   6689442430           | mov                 edx, eax

        $sequence_2 = { 8d8b80030000 894c240c 8d8b00030000 894c2408 8d4b08 894c2404 }
            // n = 6, score = 300
            //   8d8b80030000         | pop                 ebp
            //   894c240c             | je                  0x1c5
            //   8d8b00030000         | dec                 eax
            //   894c2408             | mov                 ecx, ebx
            //   8d4b08               | mov                 dl, 1
            //   894c2404             | mov                 al, dl

        $sequence_3 = { 740a 81ea00204000 01d0 eb02 31c0 5d c3 }
            // n = 7, score = 300
            //   740a                 | test                ebx, ebx
            //   81ea00204000         | je                  0x11b
            //   01d0                 | cmp                 ebx, esi
            //   eb02                 | jne                 0x100
            //   31c0                 | jmp                 0x12a
            //   5d                   | mov                 dword ptr [ebx], 0
            //   c3                   | mov                 dword ptr [ebx + 4], 0

        $sequence_4 = { 7452 83b98c00000000 7449 4c01de }
            // n = 4, score = 300
            //   7452                 | cmp                 ebx, ebx
            //   83b98c00000000       | jne                 0x14
            //   7449                 | dec                 ebp
            //   4c01de               | test                ebx, ebx

        $sequence_5 = { 8b45dc 8b10 890424 ff520c 85c0 52 }
            // n = 6, score = 300
            //   8b45dc               | push                ebx
            //   8b10                 | sub                 esp, 0x4c
            //   890424               | mov                 ebx, dword ptr [ebp + 8]
            //   ff520c               | mov                 dword ptr [ebx + 4], 0x161
            //   85c0                 | mov                 dword ptr [ebx], 0x80004005
            //   52                   | push                ebx

        $sequence_6 = { 8b461c 498d1493 8b0402 4c01d8 }
            // n = 4, score = 300
            //   8b461c               | je                  0x19d
            //   498d1493             | mov                 eax, 0x402470
            //   8b0402               | test                ecx, ecx
            //   4c01d8               | je                  0x1ac

        $sequence_7 = { 8bb188000000 85f6 7452 83b98c00000000 7449 4c01de 31db }
            // n = 7, score = 300
            //   8bb188000000         | call                edx
            //   85f6                 | dec                 esp
            //   7452                 | mov                 edi, eax
            //   83b98c00000000       | mov                 dword ptr [esp + 0x29], 0x3e3a3a1d
            //   7449                 | xor                 eax, eax
            //   4c01de               | mov                 word ptr [esp + 0x2d], 0x2d10
            //   31db                 | mov                 byte ptr [esp + 0x2f], 0x55

        $sequence_8 = { 89d7 7463 4863493c 4c01d9 8bb188000000 85f6 7452 }
            // n = 7, score = 300
            //   89d7                 | mov                 edx, ebp
            //   7463                 | dec                 ecx
            //   4863493c             | mov                 ecx, edi
            //   4c01d9               | dec                 eax
            //   8bb188000000         | mov                 ecx, eax
            //   85f6                 | dec                 ecx
            //   7452                 | mov                 eax, eax

        $sequence_9 = { 890424 894c2410 8d8b80030000 894c240c 8d8b00030000 }
            // n = 5, score = 300
            //   890424               | dec                 ecx
            //   894c2410             | mov                 ebx, ecx
            //   8d8b80030000         | push                ebx
            //   894c240c             | dec                 eax
            //   8d8b00030000         | sub                 esp, 0x20

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules