Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [1]

ID: S0265
Platforms: Windows, macOS

Version: 1.1

Techniques Used

EnterpriseT1087Account DiscoveryKazuar gathers information on local groups and members on the victim’s machine.[1]
EnterpriseT1010Application Window DiscoveryKazuar gathers information about opened windows.[1]
EnterpriseT1059Command-Line InterfaceKazuar uses cmd.exe and /bin/bash to execute commands on the victim’s machine.[1]
EnterpriseT1485Data DestructionKazuar can overwrite files with random data before deleting them.[1]
EnterpriseT1132Data EncodingKazuar encodes communications to the C2 server in Base64.[1]
EnterpriseT1005Data from Local SystemKazuar uploads files from a specified directory to the C2 server.[1]
EnterpriseT1074Data StagedKazuar stages command output and collected data in files before exfiltration.[1]
EnterpriseT1008Fallback ChannelsKazuar can accept multiple URLs for C2 servers.[1]
EnterpriseT1083File and Directory DiscoveryKazuar finds a specified directory, lists the files and metadata about those files.[1]
EnterpriseT1107File DeletionKazuar can delete files.[1]
EnterpriseT1050New ServiceKazuar can install itself as a new service.[1]
EnterpriseT1027Obfuscated Files or InformationKazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[1]
EnterpriseT1069Permission Groups DiscoveryKazuar gathers information about local groups and members.[1]
EnterpriseT1057Process DiscoveryKazuar obtains a list of running processes through WMI querying and the ps command.[1]
EnterpriseT1055Process InjectionIf running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[1]
EnterpriseT1060Registry Run Keys / Startup FolderKazuar adds a sub-key under several Registry run keys.[1]
EnterpriseT1105Remote File CopyKazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[1]
EnterpriseT1029Scheduled TransferKazuar can sleep for a specific time and be set to communicate at specific intervals.[1]
EnterpriseT1113Screen CaptureKazuar captures screenshots of the victim’s screen.[1]
EnterpriseT1023Shortcut ModificationKazuar adds a .lnk file to the Windows startup folder.[1]
EnterpriseT1071Standard Application Layer ProtocolKazuar uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[1]
EnterpriseT1082System Information DiscoveryKazuar gathers information on the system and local drives.[1]
EnterpriseT1016System Network Configuration DiscoveryKazuar gathers information about network adapters.[1]
EnterpriseT1033System Owner/User DiscoveryKazuar gathers information on users.[1]
EnterpriseT1125Video CaptureKazuar captures images from the webcam.[1]
EnterpriseT1102Web ServiceKazuar has used compromised WordPress blogs as C2 servers.[1]
EnterpriseT1047Windows Management InstrumentationKazuar obtains a list of running processes through WMI querying.[1]


Groups that use this software: