Kazuar
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Kazuar gathers information on local groups and members on the victim’s machine.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.(Citation: Unit 42 Kazuar May 2017) |
| .002 | Application Layer Protocol: File Transfer Protocols |
Kazuar uses FTP and FTPS to communicate with the C2 server.(Citation: Unit 42 Kazuar May 2017) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Kazuar adds a sub-key under several Registry run keys.(Citation: Unit 42 Kazuar May 2017) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Kazuar adds a .lnk file to the Windows startup folder.(Citation: Unit 42 Kazuar May 2017) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Kazuar uses cmd.exe to execute commands on the victim’s machine.(Citation: Unit 42 Kazuar May 2017) |
| .004 | Command and Scripting Interpreter: Unix Shell |
Kazuar uses /bin/bash to execute commands on the victim’s machine.(Citation: Unit 42 Kazuar May 2017) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Kazuar can install itself as a new service.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Kazuar encodes communications to the C2 server in Base64.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Kazuar stages command output and collected data in files before exfiltration.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Kazuar can delete files.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Kazuar gathers information about local groups and members.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.(Citation: Unit 42 Kazuar May 2017) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Kazuar has used internal nodes on the compromised network for C2 communications.(Citation: Accenture HyperStack October 2020) |
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Kazuar has used compromised WordPress blogs as C2 servers.(Citation: Unit 42 Kazuar May 2017) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0010 | Turla |
(Citation: Unit 42 Kazuar May 2017) (Citation: Talos TinyTurla September 2021) |
References
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
- Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.