Russian cyberspies have developed a new breed of backdoor trojan that features several novel techniques, including an API that allows attackers to reverse the C&C communications flow when needed.
In the malware's source code, its author referenced this tool as Kazuar, a word that means "cassowary" in several Slavic languages.
Researchers say Kazuar is coded in the .NET Framework and appears to have versions for all three major operating systems. The Palo Alto report analyzes Kazuar, the name given to the Windows version, while the Fox-IT report analyzes Snake, the name given to the Mac version. A Linux version has not been seen yet, but Palo Alto says there are clues in the Kazuar source code that hint at its existence.
Both Fox-IT and Palo Alto have linked this backdoor to a cyber-espionage group called Turla, believed to be operating out of Russia, and who Kaspersky believes is linked to one of the first cyber-espionage groups ever spotted, the Moonlight Maze APT that was active as early as 1995, well over two decades ago.
According to both security firms, Kazuar appears to be a replacement for the Uroburos backdoor trojan, already ousted in 2014 by G Data researchers. It's very common for cyber-espionage groups to replace malware that has been detected by security researchers.
Palo Alto says the links to previous Turla malware is evident, as they were able to trace some code back to Turla operations that took place back in 2005.
Below are some of Kazuar's main features:
According to researchers, the most notable and original feature is in Kazuar's C&C server communications.
By default and similar to most backdoor trojans, Kazuar will contact a hard-coded C&C server address for more instructions. While most of the commands a Kazuar backdoor receives from its C&C server are similar to what other malware families receive, one command stands out.
That command is "remote," which starts a web server on the infected host, exposing an API for remote connections.
In other words, Kazuar has the ability to reverse the flow of normal C&C server communications. Instead of infected hosts pinging the C&C server for new commands, an attacker can ping the victim whenever he wants and send new instructions.
This approach has two main benefits. First, it allows the attacker to migrate C&C servers at will, while secondly, it allows the malware to bypass some security solutions which keep a closer eye on outbound connections to suspicious domains, and not for incoming connections.
As for the Mac OS X variant dubbed Snake, according to Switzerland's CERT team, this was the malware used in a 2014 cyber-attack against RUAG, a local weapons manufacturer. There are no details available as of yet of where the Kazuar backdoor was deployed.