SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kazuar (Back to overview)

Kazuar

Actor(s): Turla Group

There is no description at this point.

References
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-05-28EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } SysInTURLA
Kazuar
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } Kazuar: Multiplatform Espionage Backdoor with API Access
Kazuar
Yara Rules
[TLP:WHITE] win_kazuar_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_kazuar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { af 0015???????? 0915???????? 1115???????? }
            // n = 4, score = 100
            //   af                   | scasd               eax, dword ptr es:[edi]
            //   0015????????         |                     
            //   0915????????         |                     
            //   1115????????         |                     

        $sequence_1 = { 054905eaa6 57 022400 8ea7d2082400 3e000a }
            // n = 5, score = 100
            //   054905eaa6           | add                 eax, 0xa6ea0549
            //   57                   | push                edi
            //   022400               | add                 ah, byte ptr [eax + eax]
            //   8ea7d2082400         | mov                 fs, word ptr [edi + 0x2408d2]
            //   3e000a               | add                 byte ptr ds:[edx], cl

        $sequence_2 = { 00ec ae a6 054905eaa6 57 }
            // n = 5, score = 100
            //   00ec                 | add                 ah, ch
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   054905eaa6           | add                 eax, 0xa6ea0549
            //   57                   | push                edi

        $sequence_3 = { 10b90351a7da 10c9 0369a7 e110 }
            // n = 4, score = 100
            //   10b90351a7da         | adc                 byte ptr [ecx - 0x2558aefd], bh
            //   10c9                 | adc                 cl, cl
            //   0369a7               | add                 ebp, dword ptr [ecx - 0x59]
            //   e110                 | loope               0x12

        $sequence_4 = { 41 0429 aa 7011 39043c aa 7611 }
            // n = 7, score = 100
            //   41                   | inc                 ecx
            //   0429                 | add                 al, 0x29
            //   aa                   | stosb               byte ptr es:[edi], al
            //   7011                 | jo                  0x13
            //   39043c               | cmp                 dword ptr [esp + edi], eax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   7611                 | jbe                 0x13

        $sequence_5 = { 02b90372a557 02b903fea857 02b9030ea9be 08b9031ea91a 11b90341a920 }
            // n = 5, score = 100
            //   02b90372a557         | add                 bh, byte ptr [ecx + 0x57a57203]
            //   02b903fea857         | add                 bh, byte ptr [ecx + 0x57a8fe03]
            //   02b9030ea9be         | add                 bh, byte ptr [ecx - 0x4156f1fd]
            //   08b9031ea91a         | or                  byte ptr [ecx + 0x1aa91e03], bh
            //   11b90341a920         | adc                 dword ptr [ecx + 0x20a94103], edi

        $sequence_6 = { 72a5 57 0299007ba5f1 0f6103 3e006003 }
            // n = 5, score = 100
            //   72a5                 | jb                  0xffffffa7
            //   57                   | push                edi
            //   0299007ba5f1         | add                 bl, byte ptr [ecx - 0xe5a8500]
            //   0f6103               | punpcklwd           mm0, qword ptr [ebx]
            //   3e006003             | add                 byte ptr ds:[eax + 3], ah

        $sequence_7 = { a9be08e903 8ea7d208e103 08a626113104 7ea8 0011 b903aba92d }
            // n = 6, score = 100
            //   a9be08e903           | test                eax, 0x3e908be
            //   8ea7d208e103         | mov                 fs, word ptr [edi + 0x3e108d2]
            //   08a626113104         | or                  byte ptr [esi + 0x4311126], ah
            //   7ea8                 | jle                 0xffffffaa
            //   0011                 | add                 byte ptr [ecx], dl
            //   b903aba92d           | mov                 ecx, 0x2da9ab03

        $sequence_8 = { 02ad470ad904 3e00b200d10402 ad 0b1451 0152a1 }
            // n = 5, score = 100
            //   02ad470ad904         | add                 ch, byte ptr [ebp + 0x4d90a47]
            //   3e00b200d10402       | add                 byte ptr ds:[edx + 0x204d100], dh
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   0b1451               | or                  edx, dword ptr [ecx + edx*2]
            //   0152a1               | add                 dword ptr [edx - 0x5f], edx

        $sequence_9 = { 12a900feab2b 1029 0267ab c01271 001a ac d208 }
            // n = 7, score = 100
            //   12a900feab2b         | adc                 ch, byte ptr [ecx + 0x2babfe00]
            //   1029                 | adc                 byte ptr [ecx], ch
            //   0267ab               | add                 ah, byte ptr [edi - 0x55]
            //   c01271               | rcl                 byte ptr [edx], 0x71
            //   001a                 | add                 byte ptr [edx], bl
            //   ac                   | lodsb               al, byte ptr [esi]
            //   d208                 | ror                 byte ptr [eax], cl

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules