SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla Group


There is no description at this point.

References
2021-06-12YouTube (BSidesBoulder)Kurt Baumgartner, Kaspersky
@online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20221125 | Detects win.kazuar.)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.kazuar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c89442438 6689442430 4c8d442430 83c002 6689442432 48c744242800000000 41ffd2 }
            // n = 7, score = 300
            //   4c89442438           | jmp                 0x493
            //   6689442430           | dec                 ebp
            //   4c8d442430           | mov                 ebx, dword ptr [ebx]
            //   83c002               | dec                 ebp
            //   6689442432           | test                ebx, ebx
            //   48c744242800000000     | je    0x491
            //   41ffd2               | dec                 ecx

        $sequence_1 = { 39f8 751c 8b4624 4801db 4c01db 0fb71403 }
            // n = 6, score = 300
            //   39f8                 | mov                 eax, 0x4024a8
            //   751c                 | mov                 dword ptr [ebp - 0x20], 0
            //   8b4624               | mov                 edi, eax
            //   4801db               | mov                 eax, 0x4024f4
            //   4c01db               | mov                 dword ptr [ebp - 0x20], 0
            //   0fb71403             | mov                 edi, eax

        $sequence_2 = { 4c8d442430 83c002 6689442432 48c744242800000000 }
            // n = 4, score = 300
            //   4c8d442430           | test                ebx, ebx
            //   83c002               | je                  0x158
            //   6689442432           | dec                 ecx
            //   48c744242800000000     | mov    ebx, ebx

        $sequence_3 = { 83c002 c744240400000000 668945f2 8d45ec c7042400000000 8944240c }
            // n = 6, score = 300
            //   83c002               | ret                 
            //   c744240400000000     | dec                 eax
            //   668945f2             | sub                 esp, 0x28
            //   8d45ec               | dec                 eax
            //   c7042400000000       | inc                 ebx
            //   8944240c             | jmp                 0x166

        $sequence_4 = { 31c0 4885c9 740d 89c2 66833c5100 7404 }
            // n = 6, score = 300
            //   31c0                 | movsx               eax, al
            //   4885c9               | xor                 eax, ebx
            //   740d                 | imul                ebx, eax, 0x1000197
            //   89c2                 | jmp                 0x68
            //   66833c5100           | movsx               eax, al
            //   7404                 | inc                 ecx

        $sequence_5 = { 48ffc3 ebc8 31c0 4883c420 5b 5e }
            // n = 6, score = 300
            //   48ffc3               | je                  0x2a3
            //   ebc8                 | dec                 eax
            //   31c0                 | lea                 ecx, [0x9a]
            //   4883c420             | xor                 edx, edx
            //   5b                   | dec                 eax
            //   5e                   | test                eax, eax

        $sequence_6 = { 4139dc 7633 8b4c9d00 4c01d9 7425 }
            // n = 5, score = 300
            //   4139dc               | mov                 eax, edi
            //   7633                 | pop                 ebx
            //   8b4c9d00             | pop                 esi
            //   4c01d9               | cmp                 dword ptr [ebp - 0x10], esi
            //   7425                 | je                  0x74

        $sequence_7 = { 5b 5e 5f 5d 415c c3 4883ec48 }
            // n = 7, score = 300
            //   5b                   | test                edx, edx
            //   5e                   | je                  0x178
            //   5f                   | dec                 eax
            //   5d                   | lea                 ecx, [0x88]
            //   415c                 | dec                 eax
            //   c3                   | mov                 ecx, eax
            //   4883ec48             | dec                 ecx

        $sequence_8 = { 4885c0 7461 ba9a4594de 4889c1 }
            // n = 4, score = 300
            //   4885c0               | test                cx, cx
            //   7461                 | inc                 ebp
            //   ba9a4594de           | xor                 ecx, ecx
            //   4889c1               | inc                 esp

        $sequence_9 = { 41ffc1 4131c0 4569c097010001 ebdd }
            // n = 4, score = 300
            //   41ffc1               | cmp                 eax, dword ptr [ebp - 0x18]
            //   4131c0               | jne                 0x71
            //   4569c097010001       | lea                 edx, [esi + esi]
            //   ebdd                 | add                 edx, ebx

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules