Kazuar

Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [1]

ID: S0265
Type: MALWARE
Platforms: Windows, macOS
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Kazuar gathers information on local groups and members on the victim’s machine.[1]
Enterprise T1010 Application Window Discovery Kazuar gathers information about opened windows.[1]
Enterprise T1059 Command-Line Interface Kazuar uses cmd.exe and /bin/bash to execute commands on the victim’s machine.[1]
Enterprise T1485 Data Destruction Kazuar can overwrite files with random data before deleting them.[1]
Enterprise T1132 Data Encoding Kazuar encodes communications to the C2 server in Base64.[1]
Enterprise T1005 Data from Local System Kazuar uploads files from a specified directory to the C2 server.[1]
Enterprise T1074 Data Staged Kazuar stages command output and collected data in files before exfiltration.[1]
Enterprise T1008 Fallback Channels Kazuar can accept multiple URLs for C2 servers.[1]
Enterprise T1083 File and Directory Discovery Kazuar finds a specified directory, lists the files and metadata about those files.[1]
Enterprise T1107 File Deletion Kazuar can delete files.[1]
Enterprise T1050 New Service Kazuar can install itself as a new service.[1]
Enterprise T1027 Obfuscated Files or Information Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[1]
Enterprise T1069 Permission Groups Discovery Kazuar gathers information about local groups and members.[1]
Enterprise T1057 Process Discovery Kazuar obtains a list of running processes through WMI querying and the ps command.[1]
Enterprise T1055 Process Injection If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Kazuar adds a sub-key under several Registry run keys.[1]
Enterprise T1105 Remote File Copy Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[1]
Enterprise T1029 Scheduled Transfer Kazuar can sleep for a specific time and be set to communicate at specific intervals.[1]
Enterprise T1113 Screen Capture Kazuar captures screenshots of the victim’s screen.[1]
Enterprise T1023 Shortcut Modification Kazuar adds a .lnk file to the Windows startup folder.[1]
Enterprise T1071 Standard Application Layer Protocol Kazuar uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[1]
Enterprise T1082 System Information Discovery Kazuar gathers information on the system and local drives.[1]
Enterprise T1016 System Network Configuration Discovery Kazuar gathers information about network adapters.[1]
Enterprise T1033 System Owner/User Discovery Kazuar gathers information on users.[1]
Enterprise T1125 Video Capture Kazuar captures images from the webcam.[1]
Enterprise T1102 Web Service Kazuar has used compromised WordPress blogs as C2 servers.[1]
Enterprise T1047 Windows Management Instrumentation Kazuar obtains a list of running processes through WMI querying.[1]

Groups

Groups that use this software:

Turla

References