Secret Blizzard, a Russian hacker group with ties to the FSB, has evolved the Kazuar backdoor into a sophisticated modular peer-to-peer (P2P) botnet. This transformation aims at enhancing long-term persistence, stealth, and data collection capabilities.
Secret Blizzard’s operations have been observed overlapping with other notorious groups like Turla, Uroburos, and Venomous Bear. Their primary targets include government and diplomatic organizations, defense-related entities, and critical systems across Europe, Asia, and Ukraine.
The Kazuar malware, initially identified in 2017, has roots tracing back to 2005. It has been associated with the Turla espionage group, a unit operating on behalf of the FSB. Recent research has linked Kazuar to cyberattacks on European government entities in 2020 and Ukrainian targets in subsequent years.
Microsoft researchers have dissected a new variant of Kazuar, noting its use of three key modules: Kernel, Bridge, and Worker. The Kernel module serves as the central coordinator, managing tasks, electing a leader, and facilitating communication within the botnet.
The leader, a single infected system within a compromised network segment, communicates with the command-and-control (C2) server, receiving and distributing tasks to other infected systems. This approach enhances stealth by keeping non-leader systems in a “silent” mode, minimizing detection risks.
Microsoft explains that the Kernel leader streamlines communication with the Bridge module, which acts as an external communications proxy. This module relays traffic between the leader and the remote C2 infrastructure using various protocols like HTTP, WebSockets, or Exchange Web Services (EWS).
Internal communication mechanisms leverage IPC protocols like Windows Messaging, Mailslots, and named pipes, enhancing camouflage within regular network activities. All messages are encrypted using AES and serialized with Google Protocol Buffers (Protobuf).
The Worker module, responsible for espionage operations, includes tasks like keylogging, screenshot capture, data harvesting from filesystems, system and network reconnaissance, email/MAPI data collection, Windows monitoring, and file theft. The collected data is encrypted, stored locally, and later transmitted through the Bridge module.
Kazuar boasts an extensive array of 150 configuration options, enabling operators to customize security bypasses, task scheduling, data theft timing, exfiltration chunk sizes, process injection, and command execution management.
Notably, Kazuar now offers bypass capabilities for Antimalware Scan Interface (AMSI), Event Tracing for Windows (ETW), and Windows Lockdown Policy (WLDP), enhancing its evasion tactics.
Secret Blizzard’s focus on long-term persistence underscores their objective of extracting politically sensitive documents and email content. To counter this threat, Microsoft recommends implementing behavioral detection strategies rather than relying on static signatures.
Automated pentesting tools provide valuable insights into network traversal but may not assess the effectiveness of threat blocking controls, detection rules, or cloud configurations. Discover the 6 essential surfaces to validate for robust security.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
