Kaspersky reveals Sunburst backdoor code overlaps with previously known Kazuar malware

Sunburst backdoor code used in the recent SolarWinds cyber incident overlaps with several features of a previously identified .NET backdoor known as Kazuar, according to cybersecurity company Kaspersky.

Kazuar was first reported in 2017 by Palo Alto Networks’ Unit 42 security team. Developers said at that time that Kazuar included a highly functional command set with the ability to remotely load additional plugins to increase the Trojan’s capabilities.

A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash, Kaspersky said in a blog post on Monday. Although the usage of the sleeping algorithm may be too wide, the custom implementation of the FNV-1a hashes and the reuse of the MD5+XOR algorithm in Sunburst are definitely important clues, it said.

The FNV-1a hash is a non-cryptographic hash function named after its creators Glenn Fowler, Landon Curt Noll, and Kiem-Phong Vo. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation.

Kaspersky, a Russia-based cybersecurity firm with U.S. headquarters in Woburn, Massachusetts, has also identified that although similar, the UID calculation subroutine and the FNV-1a hash usage, as well the sleep loop, are still not 100 percent identical. Possible explanations for these similarities include that Sunburst was developed by the same group as Kazuar, or that the Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection.

Other likely answers may lie in the fact that both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source, or that some of the Kazuar developers moved to another team taking knowledge and tools with them, or that the Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group, according to Kaspersky cybersecurity experts.

Currently, Kaspersky does not know if any of these possibilities are true. While Kazuar and Sunburst may be related, the nature of their relationship is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points might arise, Kaspersky said.

Palo Alto Networks tentatively linked Kazuar to the Turla Advanced Persistent Threat (APT) group, although no solid attribution link has been made public, according to Kaspersky. The researchers surmised at the time that it may have been used by the Turla APT group, in order to replace their Carbon platform and other Turla second stage backdoors. Kaspersky’s observations also confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.

Last month, an unknown attacker, referred to as UNC2452 or DarkHalo is alleged to have planted a backdoor in the SolarWinds Orion IT software that lead to security compromises, which began at least as early as March last year at U.S. government agencies, critical infrastructure entities, and private sector organizations, Kaspersky said last month. The Cybersecurity and Infrastructure Security Agency (CISA) had at the time advised all federal civilian agencies to review their networks for indications of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately.

The security agency subsequently updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion software. CISA followed up its previous advisories last week by asking US federal agencies to update the SolarWinds Orion software by the end of 2020 in a supplementary guidance that broadens its earlier Emergency Directive (ED).

Last week, US security agencies set up a task force, known as the Cyber Unified Coordination Group (UCG), to coordinate the investigation and remediation of the impact of the recent supply chain cyber incident involving federal government networks. The cyber incident indicates that an APT actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks, the agencies noted.

Supply chain attacks are some of the most sophisticated types of attacks nowadays and have been used in the past by APT groups such as Winnti/Barium/APT41 and various cybercriminal groups, Kaspersky said.

To limit exposure to supply chain attacks, Kaspersky suggests that users isolate network management software in separate VLANs (virtual LANs), monitor them separately from the user networks, limit outgoing internet connections from servers or appliances that run third party software, and implement regular memory dumping and analysis.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.