Kazuar

Kazuar is a backdoor Trojan with ties to the Turla APT, a Russian threat actor that specializes in spying-based hacking. Kazuar includes many of the characteristic features of this Trojan kind, such as initiating system commands or modifying files, as well as an unusual, server-based communications option that may hide its network contacts. Users of Windows, macOS, or Unix-based systems alike should have anti-malware protection for removing Kazuar safely and change all at-risk passwords as soon as possible afterward.

A Bird Too Large for Any One OS to Handle

Backdoor Trojans are one of the broader categories of threats. They can include Trojans with incredibly expansive, modular capabilities, alongside programs that do little more than ping a server and await a response. Kazuar, named after Southeast Asia's cassowary, leans more to the traditional side of its kind. Victims underestimating its capabilities, however, will find that the Turla APT is maintaining it with a few 'surprise' features that make it more compatible and evasive than their other tools, like Neuron or PowerStallion.

As with both of those backdoor Trojans, Kazuar's purpose is avoiding detection while the Turla APT's hackers acquire intelligence from desirable targets. Unlike them, Kazuar, despite being a .NET Framework application, also shows features facilitating its compatibility with Unix systems and Mac-brand ones. That said, our malware experts only have hard confirmation of Windows samples.

Kazuar has significant work put into its setup routine and may adapt itself to vulnerable PCs through different persistence methods, such as memory-injected DLLs, a Windows service, or a built-in .NET Framework function. Once it's working, Kazuar provides the attacker (or a presumably-Russian spy) with many system-controlling capabilities, including screenshots, file uploads, webcam captures, copying files, launching EXEs, and proffering other attacks via optional modules.

The API feature also is worthy of noting unto itself. Ordinarily, Kazuar sends requests to its Command & Control server and waits for a response. Optionally, the threat actor can command Kazuar to create an always-listening Web server with API support. Doing so inverts the organizational flow of the C&C contact and may help Kazuar with avoiding firewalls and services that monitor outbound requests from the infected PCs.

Don't Get Confused by an Obfuscated Trojan

Kazuar is one of many threats (see also the Galacti-Crypter Ransomware or RANWare) that uses the free ConfuserEx for obfuscating its code. The Trojan also may hibernate indefinitely and contains an apparent uninstallation feature. When taken alongside its other elements and structure, it's evident that the Turla APT isn't neglecting anti-detection as a priority for their intelligence operations.

As stated before, Kazuar endangers more than just Windows systems and has a particularly adaptable means of guaranteeing its installation and persistence. Malware experts haven't seen it in use outside of apparent Turla APT campaigns, but for affected users, it represents an almost total loss of privacy or control over their files. Its deployment is, most likely, using a multi-stage attack with an initial Trojan dropper or downloader as the first stage, with Kazuar as the follow-up.

Users in vulnerable environments should protect themselves through anti-malware tools for deleting Kazuar on sight, as well as by observing possible infection vectors (e-mail attachments particularly).

Many of Kazuar's moving gears are nothing more than reused code and features that were apparent in older parts of these Russian hackers' toolkit previously. Where it innovates, however, is more than a little concerning, since the possibility of a Trojan infecting more than one operating system makes for a spying operation with truly invasive, and technically-sophisticated, goals.