Threat Intelligence

Turla group evolves Kazuar backdoor into modular P2P botnet

The Russian state-sponsored hacking group Turla has updated its custom backdoor, Kazuar, transforming it into a modular peer-to-peer botnet designed for stealth and persistent access. This evolution aligns with the group's objective of long-term intelligence gathering, enhancing its capabilities for sophisticated cyber operations, with further coverage provided by The Hacker News.

Turla, also known as Secret Blizzard and linked to Russia's FSB, has re-engineered its Kazuar .NET backdoor, first used in 2017, into a modular botnet. This new architecture features three distinct components: Kernel, Bridge, and Worker. The Kernel module acts as the central coordinator, managing tasks, communication, and anti-analysis checks. The Bridge module serves as a proxy to the command-and-control (C2) server, while the Worker module handles data collection, including keystrokes and system information. This modular design allows for flexible configuration, reduces the malware's footprint, and facilitates broad tasking.

Attacks leveraging this updated Kazuar have been observed using droppers like Pelmeni and ShadowLoader. The Kernel module can elect a leader to manage communications and tasking, using methods like Windows Messaging, Mailslot, and named pipes for internal communication, and Exchange Web Services, HTTP, and WebSockets for external C2 contact. Data collected by the Worker is aggregated, encrypted, and exfiltrated via a dedicated working directory.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds