SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla Group

There is no description at this point.

References
2021-06-12YouTube (BSidesBoulder)Kurt Baumgartner, Kaspersky
@online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20210616 | Detects win.kazuar.)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.kazuar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4489c8 410fb70c42 6685c9 7417 e8???????? }
            // n = 5, score = 300
            //   4489c8               | ret                 
            //   410fb70c42           | xor                 edx, edx
            //   6685c9               | test                eax, eax
            //   7417                 | je                  0x229
            //   e8????????           |                     

        $sequence_1 = { 4c01de 31db 8b6e20 448b6618 }
            // n = 4, score = 300
            //   4c01de               | nop                 
            //   31db                 | dec                 eax
            //   8b6e20               | mov                 dword ptr [esp + 0x28], ecx
            //   448b6618             | dec                 eax

        $sequence_2 = { e8???????? 4889c1 4989c0 e8???????? 4c8d4c2428 31d2 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   4889c1               | mov                 ebx, dword ptr [eax + 0x3c]
            //   4989c0               | xor                 edi, edi
            //   e8????????           |                     
            //   4c8d4c2428           | add                 ebx, eax
            //   31d2                 | sub                 esp, 0xc

        $sequence_3 = { 4c01db 0fb71403 8b461c 498d1493 8b0402 4c01d8 }
            // n = 6, score = 300
            //   4c01db               | test                eax, eax
            //   0fb71403             | je                  0xbb9
            //   8b461c               | dec                 eax
            //   498d1493             | mov                 ecx, ebx
            //   8b0402               | dec                 eax
            //   4c01d8               | test                eax, eax

        $sequence_4 = { 0fbec0 41ffc1 4131c0 4569c097010001 ebdd }
            // n = 5, score = 300
            //   0fbec0               | mov                 eax, dword ptr [ebp - 0x24]
            //   41ffc1               | lea                 ecx, dword ptr [ebp - 0x1c]
            //   4131c0               | mov                 dword ptr [ebx + 4], 0x18b
            //   4569c097010001       | mov                 eax, 0x80131700
            //   ebdd                 | mov                 eax, 0x4024f4

        $sequence_5 = { 01c0 4c89442438 6689442430 4c8d442430 }
            // n = 4, score = 300
            //   01c0                 | add                 eax, eax
            //   4c89442438           | dec                 esp
            //   6689442430           | mov                 dword ptr [esp + 0x38], eax
            //   4c8d442430           | mov                 word ptr [esp + 0x30], ax

        $sequence_6 = { 8d45ec c7042400000000 8944240c 8d45f0 89442408 ffd1 }
            // n = 6, score = 300
            //   8d45ec               | inc                 ecx
            //   c7042400000000       | pop                 esp
            //   8944240c             | ret                 
            //   8d45f0               | dec                 eax
            //   89442408             | sub                 esp, 0x48
            //   ffd1                 | pop                 edi

        $sequence_7 = { 4885c9 740d 89c2 66833c5100 }
            // n = 4, score = 300
            //   4885c9               | mov                 eax, edi
            //   740d                 | dec                 eax
            //   89c2                 | add                 ebx, ebx
            //   66833c5100           | dec                 esp

        $sequence_8 = { 4c01d8 eb07 48ffc3 ebc8 31c0 4883c420 5b }
            // n = 7, score = 300
            //   4c01d8               | test                eax, eax
            //   eb07                 | je                  0x26a
            //   48ffc3               | mov                 edx, 0xde94459a
            //   ebc8                 | ret                 
            //   31c0                 | push                ebx
            //   4883c420             | dec                 eax
            //   5b                   | sub                 esp, 0x130

        $sequence_9 = { 31c9 41b804010000 488d5c242c 4889da ff15???????? }
            // n = 5, score = 300
            //   31c9                 | mov                 dword ptr [ebp - 0x1c], 0
            //   41b804010000         | mov                 eax, dword ptr [eax]
            //   488d5c242c           | mov                 ecx, dword ptr [eax + 0xc]
            //   4889da               | mov                 eax, 0x4024e4
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules