Dismiss this notice
Ant Download Manager Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13686

Dismiss this notice
Macrium Reflect Home Edition Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13685

Dismiss this notice
HitmanPro.Alert Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13684

Dismiss this notice
VoodooShield PRO Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13689

Dismiss this notice
NoVirusThanks OSArmor v1.5 Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13758

Dismiss this notice
Revo Uninstaller Pro 4 Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13688

Dismiss this notice
CheckMAL's AppCheck Pro Christmas 2020 Giveaway - https://www.geeks.fyi/showthread.php?tid=13690

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Sunburst backdoor – code overlaps with Kazuar
[Image: abstract_sunburst_kazuar.jpg]


On December 13, 2020, FireEye published a blog post detailing a supply chain attack leveraging Orion IT, an infrastructure monitoring and management platform by SolarWinds. In parallel, Volexity published an article with their analysis of related attacks, attributed to an actor named “Dark Halo”. FireEye did not link this activity to any known actor; instead, they gave it an unknown, temporary moniker – “UNC2452”.

This attack is remarkable from many points of view, including its stealthiness, precision targeting and the custom malware leveraged by the attackers, named “Sunburst” by FireEye.

In a previous blog, we dissected the method used by Sunburst to communicate with its C2 server and the protocol by which victims are upgraded for further exploitation. Similarly, many other security companies published their own analysis of the Sunburst backdoor, various operational details and how to defend against this attack. Yet, besides some media articles, no solid technical papers have been published that could potentially link it to previously known activity.

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public.

Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.

A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.

We describe these similarities in detail below.

For a summary of this analysis and FAQs, feel free to scroll down to “Conclusions“.

We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach. If we consider past experience, looking back to the WannaCry attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic can be crucial in connecting the dots.

More information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports[at]kaspersky.com

Technical DetailsBackground

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017.

Throughout the years, Kazuar has been under constant development. Its developers have been regularly improving it, switching from one obfuscator to another, changing algorithms and updating features. We looked at all versions of Kazuar since 2015, in order to better understand its development timeline.

In the following sections, we look at some of the similarities between Kazuar and Sunburst. First, we will discuss how a particular feature is used in Kazuar, and then we will describe the implementation of the same feature in Sunburst.

Comparison of the sleeping algorithms

Both Kazuar and Sunburst have implemented a delay between connections to a C2 server, likely designed to make the network activity less obvious.


Kazuar calculates the time it sleeps between two C2 server connections as follows: it takes two timestamps, the minimal sleeping time and the maximal sleeping time, and calculates the waiting period with the following formula:

generated_sleeping_time = sleeping_time[sub]min[/sub] + x (sleeping_time[sub]max[/sub] - sleeping_time[sub]min[/sub])

where x is a random floating-point number ranging from 0 to 1 obtained by calling the NextDouble method, while sleeping_time[sub]min[/sub] and sleeping_time[sub]max[/sub] are time periods obtained from the C2 configuration which can be changed with the help of a backdoor command. As a result of the calculations, the generated time will fall in the [sleeping_time[sub]min[/sub], sleeping_time[sub]max[/sub]] range. By default, sleeping_time[sub]min[/sub] equals two weeks and sleeping_time[sub]max[/sub] equals four weeks in most samples of Kazuar we analysed. After calculating the sleeping time, it invokes the Sleep method in a loop.

Kazuar implements this algorithm in the following lines of code (class names were omitted from the code for clarity).SunburstSunburst uses exactly the same formula to calculate sleeping time, relying on NextDouble to generate a random number. It then calls the sleeping function in a loop. The only difference is that the code is somewhat less complex. Below we compare an extract of the sleeping algorithm found in Kazuar and the code discovered in Sunburst.
Continue Reading
[-] The following 1 user Likes harlan4096's post:
  • Decimuss

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
Skype ...Mohammad.Poorya — 02:46
AnyDesk 5.3.2
AnyDesk 6.1.4 Chang...Mohammad.Poorya — 02:40
Funny pictures
Imran — 15:48
Google Searches Expose Stolen Corporate ...
Attackers behind a...silversurfer — 15:46
Google Forms Set Baseline For Widespread...
A threat actor has...silversurfer — 15:42

Today's Birthdays
avatar (46)Josepharelf
avatar (35)kholukrefar
Upcoming Birthdays
avatar (45)theoldevext
avatar (40)algratCep
avatar (35)zetssToomy
avatar (42)GornOr
avatar (45)Jamesmog
avatar (33)opeqyrav
avatar (36)uxegihor

Online Staff
Decimuss's profile Decimuss