Register to stream ATT&CKcon 2.0 October 29-30


Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [1]

ID: S0265
Platforms: Windows, macOS
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Kazuar gathers information on local groups and members on the victim’s machine. [1]
Enterprise T1010 Application Window Discovery Kazuar gathers information about opened windows. [1]
Enterprise T1059 Command-Line Interface Kazuar uses cmd.exe and /bin/bash to execute commands on the victim’s machine. [1]
Enterprise T1485 Data Destruction Kazuar can overwrite files with random data before deleting them. [1]
Enterprise T1132 Data Encoding Kazuar encodes communications to the C2 server in Base64. [1]
Enterprise T1005 Data from Local System Kazuar uploads files from a specified directory to the C2 server. [1]
Enterprise T1074 Data Staged Kazuar stages command output and collected data in files before exfiltration. [1]
Enterprise T1008 Fallback Channels Kazuar can accept multiple URLs for C2 servers. [1]
Enterprise T1083 File and Directory Discovery Kazuar finds a specified directory, lists the files and metadata about those files. [1]
Enterprise T1107 File Deletion Kazuar can delete files. [1]
Enterprise T1050 New Service Kazuar can install itself as a new service. [1]
Enterprise T1027 Obfuscated Files or Information Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher. [1]
Enterprise T1069 Permission Groups Discovery Kazuar gathers information about local groups and members. [1]
Enterprise T1057 Process Discovery Kazuar obtains a list of running processes through WMI querying and the ps command. [1]
Enterprise T1055 Process Injection If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Kazuar adds a sub-key under several Registry run keys. [1]
Enterprise T1105 Remote File Copy Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary. [1]
Enterprise T1029 Scheduled Transfer Kazuar can sleep for a specific time and be set to communicate at specific intervals. [1]
Enterprise T1113 Screen Capture Kazuar captures screenshots of the victim’s screen. [1]
Enterprise T1023 Shortcut Modification Kazuar adds a .lnk file to the Windows startup folder. [1]
Enterprise T1071 Standard Application Layer Protocol Kazuar uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API. [1]
Enterprise T1082 System Information Discovery Kazuar gathers information on the system and local drives. [1]
Enterprise T1016 System Network Configuration Discovery Kazuar gathers information about network adapters. [1]
Enterprise T1033 System Owner/User Discovery Kazuar gathers information on users. [1]
Enterprise T1125 Video Capture Kazuar captures images from the webcam. [1]
Enterprise T1102 Web Service Kazuar has used compromised WordPress blogs as C2 servers. [1]
Enterprise T1047 Windows Management Instrumentation Kazuar obtains a list of running processes through WMI querying. [1]

Groups That Use This Software

ID Name References
G0010 Turla [1]