Russian Hackers Turned the Kazuar Backdoor Into a Modular P2P Botnet

Russian hacking group Turla has upgraded the Kazuar backdoor, transforming it into a modular peer-to-peer botnet with new concealment and resilience mechanisms. Researchers warn that the updated malware is much more difficult to track and block.

Secret Blizzard, a Russian cybercrime group associated with the Federal Security Service (FSB), has dramatically enhanced its Kazuar backdoor; it is now a modular peer-to-peer botnet capable of supporting long-term, covert intelligence gathering and data collection operations.

Researchers at Microsoft explain that this latest variant of Kazuar is built upon an advanced architecture consisting of multiple modules, and it is designed to provide additional stealth capabilities, enabling it to be deployed and remain hidden within infected networks.

Secret Blizzard was previously identified in connection with other sophisticated attacks such as Turla, Uroburos and Venomous Bear. Microsoft researchers believe that members of Secret Blizzard are employed by the FSB and they have conducted continuous cyber-attacks against government entities, diplomatic organizations, the defense industry, and critical infrastructures across Europe, Asia, and Ukraine for many years.

Although researchers discovered that parts of the Kazuar backdoor dated back to 2005, the first discovery of Kazuar occurred in 2017. Researchers have also documented that Kazuar has been utilized during numerous cyber espionage campaigns targeting European governments and Ukrainian organizations. Microsoft examined the current iteration of the malware and concluded that Kazuar now contains three discrete components: Core, Bridge, and Worker.

Core Module – The Core module functions as the centralized manager of all the systems infected by Kazuar. It coordinates other components, assigns tasks, directs data exchange between infected systems, and selects a “lead” infected device.

The lead device then communicates directly with the hacker’s Command & Control Server. The remaining devices in the network remain dormant (“quiet”) and do not communicate directly with any external entity. This provides additional challenges to detecting malicious behavior.

“The core leader is a selected kernel module that interacts with the Bridge module on behalf of other kernel modules to reduce visibility and prevent large amounts of external communications from various infected hosts,” states Microsoft.

The selection of the lead is performed automatically. It considers factors related to system uptime, reboot counts, and other stability metrics.

Bridge Module – The Bridge module operates as a communication proxy. All communications between infected systems and the Command & Control Servers pass through it. Communications methods include HTTP, WebSockets, or Exchange Web Services.

Data transmission between components is achieved via Internal Communication Mechanisms utilizing IPC techniques such as Windows Messaging, MailSlots, or Named Pipes. Data is encrypted with AES prior to being sent. Messages are formatted using Google Protocol Buffers before serialization.

Worker Module – The Worker module is specifically responsible for conducting espionage-related activities. These can include:

Record Keystrokes
Take Screenshots
Collect Files
Conduct Network Reconnaissance
Conduct System Reconnaissance
Steal Outlook and MAPI Data
Monitor Active Windows
Collect Recent File Open Activity

Collected data is encrypted and temporarily stored locally until transmitted through the Bridge component.

Types of System Information Collected by Kazuar

Microsoft reports that the newest iteration of Kazuar now allows users to configure over 150 configurable options. Users can independently activate or deactivate evasion mechanisms for security products, set up scheduled collections for sensitive data, define exfiltration fragment sizes, perform remote process injection attacks, and execute commands on compromised machines.

Kazuar also includes evasions for Antivirus/Monitoring Systems such as AMSI, ETW, and Windows Lockdown Policy Bypass.

Microsoft asserts that Secret Blizzard is primarily engaged in long-term espionage efforts. Their primary target remains sensitive documents, email correspondence and/or any other type of data that could potentially hold significant political or strategic value.

Microsoft recommends that organizations utilize Behavioral Threat Detection due to Kazuar’s modular design and ability to be configured dynamically to evade traditional signature-based protection systems.