Researchers Find Links Between Sunburst and Russian Kazuar Malware

Cybersecurity researchers, for the initially time, might have discovered a probable link among the backdoor utilised in the SolarWinds hack to a formerly identified malware strain.

In new investigate revealed by Kaspersky researchers nowadays, the cybersecurity firm reported it found numerous features that overlap with an additional backdoor known as Kazuar, a .Net-based mostly malware 1st documented by Palo Alto Networks in 2017.

Disclosed early final month, the espionage campaign was notable for its scale and stealth, with the attackers leveraging the trust affiliated with SolarWinds Orion computer software to infiltrate governing administration organizations and other corporations so as to deploy a personalized malware codenamed “Sunburst.”

Shared Attributes Between Sunburst and Kazuar

Attribution for the SolarWinds provide-chain compromise has been tricky in portion owing to minor-to-no clues linking the assault infrastructure to past campaigns or other well-regarded risk groups.

But Kaspersky’s most up-to-date investigation of the Sunburst backdoor has uncovered a number of shared attributes between the malware and Kazuar, foremost the scientists to suspect that —

  • Both Sunburst and Kazuar have been designed by the similar threat group
  • The adversary guiding Sunburst applied Kazuar as an inspiration
  • The groups behind Kazuar (Turla) and Sunburst (UNC2452 or Dim Halo) acquired the malware from a one supply
  • The builders of Kazuar moved to an additional crew, getting their toolset with them, or
  • The Sunburst builders deliberately launched these one-way links as “wrong flag” to shift blame to one more group

The commonalities shared in between the two malware people consist of the use of a sleeping algorithm to continue to be dormant for a random time period in between connections to a C2 server, the substantial usage of the FNV-1a hash to obfuscate the malicious code, and the use of a hashing algorithm to create special sufferer identifiers.

Whilst Kazuar randomly selects a sleeping period of time involving two and four months amongst C2 connections, Sunburst randomly opts for a sleeping period of time involving 12 and 14 times before getting in touch with the server for preliminary reconnaissance. But researchers observed that the formulation utilized to work out the sleeping time continues to be the identical.

Kazuar’s Feasible Inbound links to Turla

Kazuar is a thoroughly featured backdoor created applying the .Internet Framework and relies on a command-and-command (C2) channel to allow for actors to interact with the compromised process and exfiltrate facts. Its features run the normal spyware gamut, with support for running destructive instructions, seize screenshots, and even deploy supplemental functionalities by using a plugin command.

Palo Alto Networks’ Unit 42 crew tentatively connected the resource to the Russian menace team Turla (aka Uroburos and Snake) dependent on the fact that the “code lineage in Kazuar can be traced again to at minimum 2005.”

What is actually additional, on November 18, 2020, Kazuar seems to have been through a complete redesign with a new keylogger and password-thieving capabilities added to the backdoor that is applied in the form of C2 server command.

Though it’s typical for danger actors to keep updating their toolset and introduce attributes made to bypass endpoint detection and response (EDR) methods, Kaspersky scientists elevated the probability that the modifications might have been launched in reaction to the SolarWinds breach.

“Suspecting the SolarWinds assault may well be identified, the Kazuar code was altered to resemble the Sunburst backdoor as small as possible,” the scientists said.

CISA Updates SolarWinds Advisory

Final 7 days, the U.S. Cybersecurity and Infrastructure Stability Agency (CISA), alongside with the Federal Bureau of Investigation (FBI), the Workplace of the Director of Nationwide Intelligence (ODNI), and the National Security Company (NSA), issued a joint statement formally accusing an adversary “probably Russian in origin” for staging the SolarWinds hack.

Moreover, CISA, in an update to its advisory on January 6, claimed, “incident response investigations have recognized that initial obtain in some cases was acquired by password guessing, password spraying, and inappropriately secured administrative credentials available via exterior distant entry solutions.”

“These code overlaps in between Kazuar and Sunburst are appealing and represent the initial potential discovered connection to a formerly recognized malware family members,” Kaspersky scientists concluded.

“Although Kazuar and Sunburst could be linked, the character of this relation is however not apparent. Via additional evaluation, it is achievable that evidence confirming a single or quite a few of these points could possibly arise. At the exact same time, it is also probable that the Sunburst builders had been really great at their opsec and did not make any errors, with this hyperlink becoming an elaborate untrue flag.”

Fibo Quantum