SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla

There is no description at this point.

References
2023-07-19Twitter (@MsftSecIntel)Microsoft Threat Intelligence
@online{intelligence:20230719:targeted:a0e926e, author = {Microsoft Threat Intelligence}, title = {{Tweet on targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard}}, date = {2023-07-19}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/msftsecintel/status/1681695399084539908}, language = {English}, urldate = {2023-07-20} } Tweet on targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard
DeliveryCheck Kazuar
2023-07-18Cert-UACert-UA
@online{certua:20230718:targeted:514e9c6, author = {Cert-UA}, title = {{Targeted Turla attacks (UAC-0024, UAC-0003) using CAPIBAR and KAZUAR malware (CERT-UA#6981)}}, date = {2023-07-18}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/5213167}, language = {English}, urldate = {2023-07-20} } Targeted Turla attacks (UAC-0024, UAC-0003) using CAPIBAR and KAZUAR malware (CERT-UA#6981)
DeliveryCheck Kazuar
2023-04-24Kaspersky LabsPierre Delcher, Ivan Kwiatkowski
@online{delcher:20230424:tomiris:2d65352, author = {Pierre Delcher and Ivan Kwiatkowski}, title = {{Tomiris called, they want their Turla malware back}}, date = {2023-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/}, language = {English}, urldate = {2023-04-26} } Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour
2021-06-12YouTube (BSidesBoulder)Kurt Baumgartner, Kaspersky
@online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20230715 | Detects win.kazuar.)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.kazuar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb07 48ffc3 ebc8 31c0 4883c420 5b }
            // n = 6, score = 300
            //   eb07                 | mov                 ecx, ebx
            //   48ffc3               | test                eax, eax
            //   ebc8                 | jne                 0x183
            //   31c0                 | mov                 dword ptr [ebx], 0x80004005
            //   4883c420             | mov                 dword ptr [ebx + 4], 0x168
            //   5b                   | mov                 edi, 0x80004005

        $sequence_1 = { 31c0 4885db 7428 4989db }
            // n = 4, score = 300
            //   31c0                 | dec                 ecx
            //   4885db               | mov                 edx, ecx
            //   7428                 | je                  0x32
            //   4989db               | xor                 eax, eax

        $sequence_2 = { 894c2414 8d8b00020000 890424 894c2410 8d8b80030000 894c240c }
            // n = 6, score = 300
            //   894c2414             | mov                 ecx, ebx
            //   8d8b00020000         | dec                 eax
            //   890424               | lea                 ebx, [esp + 0x2c]
            //   894c2410             | dec                 eax
            //   8d8b80030000         | mov                 edx, ebx
            //   894c240c             | test                eax, eax

        $sequence_3 = { 890424 89542408 ffd1 83ec0c 85c0 }
            // n = 5, score = 300
            //   890424               | push                ebx
            //   89542408             | dec                 eax
            //   ffd1                 | sub                 esp, 0x20
            //   83ec0c               | xor                 ebx, ebx
            //   85c0                 | dec                 eax

        $sequence_4 = { 4889c1 4989c0 e8???????? 4c8d4c2428 31d2 31c9 01c0 }
            // n = 7, score = 300
            //   4889c1               | push                ebp
            //   4989c0               | cmp                 cx, 0x19
            //   e8????????           |                     
            //   4c8d4c2428           | lea                 eax, [ebp - 0x14]
            //   31d2                 | mov                 dword ptr [esp], 0
            //   31c9                 | mov                 dword ptr [esp + 0xc], eax
            //   01c0                 | lea                 eax, [ebp - 0x10]

        $sequence_5 = { 4c89442438 6689442430 4c8d442430 83c002 6689442432 48c744242800000000 }
            // n = 6, score = 300
            //   4c89442438           | dec                 eax
            //   6689442430           | lea                 edx, [0xf13]
            //   4c8d442430           | dec                 eax
            //   83c002               | mov                 ecx, ebx
            //   6689442432           | test                eax, eax
            //   48c744242800000000     | dec    ecx

        $sequence_6 = { 31d2 31c9 01c0 4c89442438 6689442430 4c8d442430 }
            // n = 6, score = 300
            //   31d2                 | mov                 dword ptr [esp + 4], eax
            //   31c9                 | mov                 edx, dword ptr [ebp - 0x2c]
            //   01c0                 | mov                 dword ptr [esp + 0xc], edi
            //   4c89442438           | mov                 dword ptr [esp + 0x14], esi
            //   6689442430           | mov                 dword ptr [esp + 8], 0
            //   4c8d442430           | mov                 dword ptr [esp + 4], eax

        $sequence_7 = { e8???????? 0fbec0 41ffc1 4131c0 4569c097010001 ebdd 4489c0 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   0fbec0               | mov                 dword ptr [esp + 0xc], eax
            //   41ffc1               | mov                 word ptr [ebp - 0xe], ax
            //   4131c0               | lea                 eax, [ebp - 0x14]
            //   4569c097010001       | mov                 dword ptr [esp], 0
            //   ebdd                 | mov                 dword ptr [esp + 0xc], eax
            //   4489c0               | lea                 eax, [ebp - 0x10]

        $sequence_8 = { 4989cb 89d7 7463 4863493c }
            // n = 4, score = 300
            //   4989cb               | je                  0xe6
            //   89d7                 | inc                 ebp
            //   7463                 | xor                 ecx, ecx
            //   4863493c             | dec                 eax

        $sequence_9 = { 4989cb 89d7 7463 4863493c 4c01d9 }
            // n = 5, score = 300
            //   4989cb               | je                  0x99
            //   89d7                 | cmp                 word ptr [eax + edx*2], 0
            //   7463                 | xor                 eax, ebx
            //   4863493c             | imul                ebx, eax, 0x1000197
            //   4c01d9               | jmp                 0x80

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules