New research on the SolarWinds’ software breach has shown some relation between the backdoor used in the attack and a malware strain that has previously been identified.
Security professionals have reported that they have found some features that match with a backdoor known as Kazuar.
The malicious operation aimed at SolarWinds’ Orion software shocked the cyber world with its scale and sophistication and allowed attackers to infiltrate government agencies and different organizations as well as insert a custom malware known under the code name of “Sunburst”.
Sunburst and Kazuar Share Features
The SolarWinds assault has been problematic because, so far, there have been no clues connecting the attack to any other campaigns of a similar type in the past.
Yet, a new study of the Sunburst backdoor shows a variety of shared features with Kazuar, causing researchers to believe that Sunburst and Kazuar were created by the same hacking community. What is more, Kazuar seems to have been used as an inspiration for Sunburst’s advisory. Based on extensive analysis, researchers suspect that the hacking groups behind Kazuar (Turla) and Sunburst (Dark Halo or UNC2452 ) acquired the malware from a single source. However, it is still not clear if the developers of Kazuar shifted to another team, taking the malicious toolset with them or the Sunburst developers deliberately used a “false flag” to transfer responsibility to another hacking group.
The common features, discovered in both malware strains include the use of a sleep algorithm that helps the malware to remain inactive for a random period of time between the connections to a C2 server, the use of the FNV-1a hash to obfuscate the malicious code, and the use of a hashing algorithm that generates unique victim identifiers.
Although Sunburst randomly selects a 12- to 14-day sleep period before initial reconnaissance with the server, and Kazuar opts for a two to four week sleep period between C2 contacts, both malware strains calculate the sleeping time with the same formula.
Kazuar is a backdoor based on .NET Framework which relies on a C2 channel to enable actors to communicate with the compromised infrastructure and exfiltrate data. It allows for running malicious commands, taking screenshots, and even has the ability to activate additional functionality with a plugin command.
This fully-featured backdoor has been connected to the Russian threat community named Turla, based on the fact that the code lineage can be traced back to at least 2005.
On November 18, 2020, a new update to Kazuar has been introduced, adding new features to the malware such as keylogger and password-stealing function. Researchers have linked this update to an attempt to hide the similarities with Sunburst the malware responsible for the SolarWinds breach.
According to security professionals that are analyzing the case, the Kazuar backdoor code was modified to resemble the Sunburst backdoor as little as possible.
A joint statement issued last week by Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), notes that a Russian-affiliated agent is likely behind the SolarWinds attack.
Though it is likely that Sunburst and Kazuar are related, the connection is not clear yet and some researchers assume that the developers of Sunburst might be using the similarities as an elaborated false flag. More research is required to explain the relation between these two malware strains.