Russian hackers flip Kazuar backdoor into modular P2P botnet

The Russian hacker team Secret Snowfall has advanced its long-running Kazuar backdoor right into a modular peer-to-peer (P2P) botnet designed for long-term endurance, stealth, and knowledge assortment.

Secret Snowfall, whose process overlaps that of Turla, Uroburos, and Venomous Undergo, has been related to the Russian intelligence provider (FSB) and is understood for focused on executive and diplomatic organizations, defense-related entities, and demanding techniques throughout Europe, Asia, and Ukraine.

The Kazuar malware has been documented since 2017, and researchers discovered that its code lineage is going way back to 2005. Its process has been connected to the Turla espionage team operating for the FSB.

In 2020, researchers uncovered its deployment in assaults focused on Ecu executive organizations. 3 years later, it used to be observed deployed in assaults towards Ukraine.

“Main” Kazuar

Microsoft researchers analyzed a contemporary variant of Kazuar and seen that the malware now operates the usage of 3 distinct modules: kernel, bridge, and employee.

The Kernel module is the central coordinator that manages duties, controls different modules, elects a pace-setter, and orchestrates communications and knowledge waft around the botnet.

The chief is basically one inflamed device inside of a compromised surroundings or community phase, which communicates with the command-and-control (C2) server, receives duties, and forwards them internally to the opposite inflamed techniques.

Non-leader techniques input “silent” mode and don’t keep in touch at once with the C2. This ends up in higher stealth and lowered detection floor.

“The Kernel chief is the only elected Kernel module that communicates with the Bridge module on behalf of the opposite Kernel modules, lowering visibility by way of averting massive volumes of exterior visitors from a couple of inflamed hosts,” explains Microsoft.

The method for deciding on the chief is inner and self reliant, the usage of uptime, reboot, and interruption counts.

The Bridge module acts because the exterior communications proxy that relays visitors between the elected Kernel chief and the faraway C2 infrastructure the usage of protocols like HTTP, WebSockets, or Change Internet Services and products (EWS).

Interior communications depend on IPC (inter-process communique), together with Home windows Messaging, Mailslots, and named pipes, mixing smartly with standard operational noise. The messages are AES-encrypted and serialized with Google Protocol Buffers (Protobuf).

The Employee module plays the real espionage operations, akin to:

• keylogging
• shooting screenshots
• harvesting information from the filesystem
• acting device and community reconnaissance
• gathering electronic mail/MAPI information (together with Outlook downloads)
• tracking home windows
• stealing fresh recordsdata

The amassed information is encrypted, staged in the neighborhood, and later exfiltrated in the course of the Bridge module.

Microsoft underlines Kazuar’s versatility, which now helps 150 configuration choices permitting operators to permit/disable explicit safety bypasses, carry out process scheduling, time the knowledge robbery and dimension of exfiltration chunks, carry out job injection, arrange duties and command execution, and extra.

In regards to the safety bypass choices, Kazuar now provides Antimalware Scan Interface (AMSI) bypass, Tournament Tracing for Home windows (ETW) bypass, and Home windows Lockdown Coverage (WLDP) bypass.

Secret Snowfall most often seeks long-term endurance on the right track techniques for intelligence collections. The actor exfiltrates paperwork and electronic mail content material that has political significance.

Microsoft recommends that businesses center of attention their protection on behavioral detection fairly than static signatures, as Kazuar’s modular and extremely configurable nature makes the danger specifically evasive.