Unit 42 provides a deep technical analysis of an upgraded Kazuar backdoor variant used by the Pensive Ursa group, highlighting stealth, anti-analysis, and multi-stage capabilities. The report details Kazuar’s HTTP and named-pipe C2 communications, extensive 40+ command set, and ties to Pensive Ursa and Carbon as potential successors. #Kazuar #PensiveUrsa #Turla #Carbon #GitSCM #Signal #RUAG
Keypoints
- Kazuar’s latest variant is an upgraded .NET backdoor used as a second-stage payload by the Pensive Ursa (aka Turla) threat group.
- The variant emphasizes stealth and anti-analysis measures, including code obfuscation, encryption, and anti-dumping techniques.
- Kazuar supports multi-stage delivery and a modular, multithreaded architecture with separate task and result handling.
- It communicates with its C2 via HTTP and can also act as a proxy over named pipes for peer-to-peer command and control.
- The malware includes a large set of 45+ C2 commands spanning data collection, credential theft, file and registry operations, and scripting.
- Security vendors tie Kazuar to Pensive Ursa and potentially Carbon, reinforcing attribution to the group and old-carbon lineage.
MITRE Techniques
- [T1055] Process Injection – Kazuar injects into explorer.exe by default and can fall back to injecting into the user’s default browser or svchost.exe. “Default mode, injects into explorer.exe” and “Injects into the user’s default browser or svchost.exe.”
- [T1071.001] Web Protocols – Kazuar uses HTTP to communicate with C2; initial HTTP POSTs carry XML data and receive XML responses. “HTTP POST command with an XML in the body sent to the C2.”
- [T1113] Screen Capture – Automated tasks include taking screenshots as part of data collection. “Taking screenshots” (Autos functionality).
- [T1082] System Information Discovery – Extensive profiling collects OS, hardware and network data; first_systeminfo_do archives system info. “comprehensive information about the infected machine” and “OS, hardware and network.”
- [T1560] Archive Collected Data – The malware zips collected data (info/logs/screen capture) prior to exfiltration. “zipping of all of these files into one archive before being encrypted and sent to the C2.”
- [T1027] Obfuscated/Compressed Files and Information – Strings are encrypted at runtime; multiple dictionaries deobfuscate strings. “Strings Encryption” and “decrypts each string at runtime.”
- [T1555.003] Credentials in Files – Kazuar can steal credentials from cloud apps and files (Git SCM credentials, Signal, etc.). “Steals data from various browsers and applications” and “Git SCM credentials Kazuar may attempt to steal.”
- [T1059.001] PowerShell – Commands execute PowerShell scripts (psh). “Executes a PowerShell Script.”
- [T1059.003] Windows Command Shell – Command execution via cmd.exe (cmd). “cmd” command listed in C2 commands.
- [T1059.007] JavaScript – Executes JavaScript (jsc). “Executes JavaScript.”
- [T1112] Registry Modification – Capabilities include regwrite to set registry keys/values. “Sets a registry key/value.”
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks (honeypots, tools, and sandbox) are used to avoid analysis. “Anti-Analysis Checks” and “honeypot, analysis tools and sandbox.”
- [T1047] WMI – WMI consumption/consumption in task execution described (e.g., “WMI consumer”).
Indicators of Compromise
- [SHA256] Kazuar SHA256 – 91dc8593ee573f3a07e9356e65e06aed58d8e74258313e3414a7de278b3b5233
- [URL] C2 Servers – hxxps://www.pierreagencement[.]fr/wp-content/languages/index.php, hxxps://sansaispa[.]com/wp-includes/images/gallery/, hxxps://octoberoctopus.co[.]za/wp-includes/sitemaps/web/
- [GUID] Primary cookie used for C2 comms – 169739e7-2112-9514-6a61-d300c0fef02d
- [GUID] Alternate cookie variant – 169739e7211295146a61d300c0fef02d
- [Filename] Info and logs – info.txt, logs.txt
- [Filename] Task/result data – result files created by the Task Solver (encrypted and written to disk)
Read more: https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/