SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla Group


There is no description at this point.

References
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 261449 013e 002c14 e9???????? 14f1 04c7 ad }
            // n = 7, score = 100
            //   261449               | adc                 al, 0x49
            //   013e                 | add                 dword ptr [esi], edi
            //   002c14               | add                 byte ptr [esp + edx], ch
            //   e9????????           |                     
            //   14f1                 | adc                 al, 0xf1
            //   04c7                 | add                 al, 0xc7
            //   ad                   | lodsd               eax, dword ptr [esi]

        $sequence_1 = { b0b2 00e1 0039 b0d6 08e9 }
            // n = 5, score = 100
            //   b0b2                 | mov                 al, 0xb2
            //   00e1                 | add                 cl, ah
            //   0039                 | add                 byte ptr [ecx], bh
            //   b0d6                 | mov                 al, 0xd6
            //   08e9                 | or                  cl, ch

        $sequence_2 = { 86ae1204c102 9d ae b208 d101 a5 ae }
            // n = 7, score = 100
            //   86ae1204c102         | xchg                byte ptr [esi + 0x2c10412], ch
            //   9d                   | popfd               
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   b208                 | mov                 dl, 8
            //   d101                 | rol                 dword ptr [ecx], 1
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   ae                   | scasb               al, byte ptr es:[edi]

        $sequence_3 = { 1902 86ae1204c102 9d ae b208 }
            // n = 5, score = 100
            //   1902                 | sbb                 dword ptr [edx], eax
            //   86ae1204c102         | xchg                byte ptr [esi + 0x2c10412], ch
            //   9d                   | popfd               
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   b208                 | mov                 dl, 8

        $sequence_4 = { 05d7afc515 61 053e003b07 61 057d3cd805 }
            // n = 5, score = 100
            //   05d7afc515           | add                 eax, 0x15c5afd7
            //   61                   | popal               
            //   053e003b07           | add                 eax, 0x73b003e
            //   61                   | popal               
            //   057d3cd805           | add                 eax, 0x5d83c7d

        $sequence_5 = { a5 a5 10a103e2a680 10a103eaa680 10b90351a7da }
            // n = 5, score = 100
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   10a103e2a680         | adc                 byte ptr [ecx - 0x7f591dfd], ah
            //   10a103eaa680         | adc                 byte ptr [ecx - 0x7f5915fd], ah
            //   10b90351a7da         | adc                 byte ptr [ecx - 0x2558aefd], bh

        $sequence_6 = { 0043a1 4c 0e c9 0215???????? 003e 000a }
            // n = 7, score = 100
            //   0043a1               | add                 byte ptr [ebx - 0x5f], al
            //   4c                   | dec                 esp
            //   0e                   | push                cs
            //   c9                   | leave               
            //   0215????????         |                     
            //   003e                 | add                 byte ptr [esi], bh
            //   000a                 | add                 byte ptr [edx], cl

        $sequence_7 = { 0029 0267ab 3612a10080ab52 129900a9ab70 129104d9a576 128104eaa657 021c00 }
            // n = 7, score = 100
            //   0029                 | add                 byte ptr [ecx], ch
            //   0267ab               | add                 ah, byte ptr [edi - 0x55]
            //   3612a10080ab52       | adc                 ah, byte ptr ss:[ecx + 0x52ab8000]
            //   129900a9ab70         | adc                 bl, byte ptr [ecx + 0x70aba900]
            //   129104d9a576         | adc                 dl, byte ptr [ecx + 0x76a5d904]
            //   128104eaa657         | adc                 al, byte ptr [ecx + 0x57a6ea04]
            //   021c00               | add                 bl, byte ptr [eax + eax]

        $sequence_8 = { 1e ae 811429053cae87 1449 0316 }
            // n = 5, score = 100
            //   1e                   | push                ds
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   811429053cae87       | adc                 dword ptr [ecx + ebp], 0x87ae3c05
            //   1449                 | adc                 al, 0x49
            //   0316                 | add                 edx, dword ptr [esi]

        $sequence_9 = { 2902 47 af 17 15b902bea4 1c15 }
            // n = 6, score = 100
            //   2902                 | sub                 dword ptr [edx], eax
            //   47                   | inc                 edi
            //   af                   | scasd               eax, dword ptr es:[edi]
            //   17                   | pop                 ss
            //   15b902bea4           | adc                 eax, 0xa4be02b9
            //   1c15                 | sbb                 al, 0x15

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules