Palo Alto Networks Unit 42 has reported that the Russian hacking group Turla, also known as Pensive Ursa [1] [3] [5], has been targeting Ukraine’s defense sector. This group, believed to be linked to Russia’s Federal Security Service (FSB) [1] [3] [5], has been active since at least 2004 [3].
Description
In July 2023 [4], Turla targeted Ukraine’s defense sector to obtain sensitive assets such as messages, source control [1], and cloud platform data [1]. The Ukrainian Computer Emergency and Response Team (CERT-UA) confirmed these attacks and highlighted the multi-staged delivery mechanism of the Kazuar backdoor Trojan, along with the use of a new first-stage backdoor called Capibar.
The updated version of Kazuar [3] [4] [5], based on Microsoft’s NET framework [1], has been found to be more sophisticated than previously thought [4], with over 40 distinct commands [4], half of which were previously unknown [4]. These enhancements demonstrate significant improvements to the code structure and functionality of Kazuar [1] [4], making it more difficult to detect [1].
Kazuar is a NET-based implant that was first discovered in 2017 and has since evolved to include robust obfuscation and custom string encryption methods [5]. It has a wide range of features [5], including system profiling [2] [5], data collection [5], credential theft [5], file manipulation [5], and arbitrary command execution [5]. Kazuar can also set up automated tasks to gather system data [5], take screenshots [5], and grab files [5].
Communication with command and control (C2) servers is done over HTTP [5], and Kazuar can function as a proxy to communicate with other infected systems [5]. It has extensive anti-analysis capabilities to remain undetected and will cease all C2 communication if it is being debugged or analyzed [5].
A variant of Kazuar [1], used by Pensive Ursa [2], has been examined and found to include previously undocumented features such as system profiling and injection modes [2]. This variant of Kazuar has been used in attacks targeting the Ukraine defense sector.
Conclusion
The targeting of Ukraine’s defense sector by the Turla hacking group raises concerns about the security of sensitive assets and the potential impact on national security. The sophistication and evolving nature of Kazuar highlight the need for robust cybersecurity measures to detect and mitigate such threats. The discovery of previously undocumented features in the variant used by Pensive Ursa underscores the ongoing development and adaptability of these hacking tools. Continued vigilance and collaboration between cybersecurity experts and defense organizations are crucial to effectively counter these threats in the future.
References
[1] https://www.darkreading.com/endpoint/upgraded-kazuar-backdoor-offers-stealthy-power
[2] https://thecyberwire.com/newsletters/daily-briefing/12/210
[3] https://thehackernews.com/2023/11/turla-updates-kazuar-backdoor-with.html
[4] https://www.infosecurity-magazine.com/news/palo-alto-features-russian-turla/
[5] https://www.redpacketsecurity.com/turla-updates-kazuar-backdoor-with-advanced-anti-analysis-to-evade-detection/
