Malware

Russian cyberspies have developed a new breed of backdoor trojan that features several novel techniques, including an API that allows attackers to reverse the C&C communications flow when needed.

This new threat came to light on Wednesday via two reports from Fox-IT and Palo Alto Networks, respectively.

In the malware's source code, its author referenced this tool as  Kazuar, a word that means "cassowary" in several Slavic languages.

Researchers say Kazuar is coded in the .NET Framework and appears to have versions for all three major operating systems. The Palo Alto report analyzes Kazuar, the name given to the Windows version, while the Fox-IT report analyzes Snake, the name given to the Mac version. A Linux version has not been seen yet, but Palo Alto says there are clues in the Kazuar source code that hint at its existence.

Kazuar linked to the Turla APT

Both Fox-IT and Palo Alto have linked this backdoor to a cyber-espionage group called Turla, believed to be operating out of Russia, and who Kaspersky believes is linked to one of the first cyber-espionage groups ever spotted, the Moonlight Maze APT that was active as early as 1995, well over two decades ago.

According to both security firms, Kazuar appears to be a replacement for the Uroburos backdoor trojan, already ousted in 2014 by G Data researchers. It's very common for cyber-espionage groups to replace malware that has been detected by security researchers.

Palo Alto says the links to previous Turla malware is evident, as they were able to trace some code back to Turla operations that took place back in 2005.

Below are some of Kazuar's main features:

› Written in .NET Framework and packed with ConfuserEx.
› Kazuar encrypts debug messages saved in log files using the Rijndael cipher.
› Very organized code, as the malware uses different folders to store code for various tasks (such as plugins, command processing, logs, configuration settings, etc.)
› Talks to C&C servers, most are hosted on hacked WordPress sites.
› Can exfiltrate data via HTTP, HTTPS, FTP, or FTPS.
› Modular infrastructure. Operators can install or uninstall Kazuar plugins at will.
› Executes shell commands on Windows via cmd.exe and on Linux via /bin/bash.

Kazuar API helps reverse C&C server communications

According to researchers, the most notable and original feature is in Kazuar's C&C server communications.

By default and similar to most backdoor trojans, Kazuar will contact a hard-coded C&C server address for more instructions. While most of the commands a Kazuar backdoor receives from its C&C server are similar to what other malware families receive, one command stands out.

That command is "remote," which starts a web server on the infected host, exposing an API for remote connections.

In other words, Kazuar has the ability to reverse the flow of normal C&C server communications. Instead of infected hosts pinging the C&C server for new commands, an attacker can ping the victim whenever he wants and send new instructions.

This approach has two main benefits. First, it allows the attacker to migrate C&C servers at will, while secondly, it allows the malware to bypass some security solutions which keep a closer eye on outbound connections to suspicious domains, and not for incoming connections.

As for the Mac OS X variant dubbed Snake, according to Switzerland's CERT team, this was the malware used in a 2014 cyber-attack against RUAG, a local weapons manufacturer. There are no details available as of yet of where the Kazuar backdoor was deployed.