SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla Group


There is no description at this point.

References
2021-06-12YouTube (BSidesBoulder)Kurt Baumgartner, Kaspersky
@online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20220516 | Detects win.kazuar.)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.kazuar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5d 415c c3 4883ec48 }
            // n = 4, score = 300
            //   5d                   | mov                 dword ptr [esp + 0x3c], 0
            //   415c                 | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x28], eax
            //   4883ec48             | mov                 dword ptr [esp + 0x20], 0

        $sequence_1 = { 4883ec28 e8???????? 31d2 4885c0 740e }
            // n = 5, score = 300
            //   4883ec28             | movzx               eax, word ptr [eax + edx]
            //   e8????????           |                     
            //   31d2                 | lea                 eax, [ebx + eax*4]
            //   4885c0               | add                 eax, dword ptr [edi + 0x1c]
            //   740e                 | mov                 edi, dword ptr [eax]

        $sequence_2 = { 8955e8 31f6 8b4718 8945f0 8b4720 01d8 8945ec }
            // n = 7, score = 300
            //   8955e8               | push                ebp
            //   31f6                 | mov                 ebp, esp
            //   8b4718               | push                edi
            //   8945f0               | push                esi
            //   8b4720               | push                ebx
            //   01d8                 | sub                 esp, 0xc
            //   8945ec               | test                eax, eax

        $sequence_3 = { 6689442430 4c8d442430 83c002 6689442432 48c744242800000000 }
            // n = 5, score = 300
            //   6689442430           | pop                 eax
            //   4c8d442430           | dec                 eax
            //   83c002               | add                 eax, 0x402000
            //   6689442432           | dec                 eax
            //   48c744242800000000     | add    esp, 0x48

        $sequence_4 = { 41ffc1 4131c0 4569c097010001 ebdc 4489c0 }
            // n = 5, score = 300
            //   41ffc1               | test                eax, eax
            //   4131c0               | jmp                 0x4d1
            //   4569c097010001       | mov                 eax, dword ptr [ebp - 0x24]
            //   ebdc                 | lea                 ecx, [ebp - 0x1c]
            //   4489c0               | mov                 dword ptr [ebp - 0x1c], 0

        $sequence_5 = { 7505 8b4308 eb0c 8b1b }
            // n = 4, score = 300
            //   7505                 | dec                 eax
            //   8b4308               | mov                 dword ptr [esp + 0x28], eax
            //   eb0c                 | dec                 edi
            //   8b1b                 | je                  0x20

        $sequence_6 = { 53 4883ec20 31db 65488b1c2530000000 }
            // n = 4, score = 300
            //   53                   | dec                 eax
            //   4883ec20             | mov                 edx, ebp
            //   31db                 | dec                 ecx
            //   65488b1c2530000000     | mov    ecx, edi

        $sequence_7 = { 5e 5f 5d 415c c3 4883ec48 }
            // n = 6, score = 300
            //   5e                   | mov                 ecx, eax
            //   5f                   | dec                 eax
            //   5d                   | inc                 ebx
            //   415c                 | jmp                 0xe3
            //   c3                   | xor                 eax, eax
            //   4883ec48             | dec                 eax

        $sequence_8 = { 4989db 498b4b40 e8???????? 3d88ae6393 7506 }
            // n = 5, score = 300
            //   4989db               | mov                 eax, ebx
            //   498b4b40             | pop                 ebx
            //   e8????????           |                     
            //   3d88ae6393           | xor                 eax, ebx
            //   7506                 | imul                ebx, eax, 0x1000197

        $sequence_9 = { 41ffc1 4131c0 4569c097010001 ebdd }
            // n = 4, score = 300
            //   41ffc1               | cmp                 eax, dword ptr [ebp - 0x18]
            //   4131c0               | jne                 0x79
            //   4569c097010001       | lea                 edx, [esi + esi]
            //   ebdd                 | add                 edx, ebx

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules