Kazuar is a backdoor trojan used by the Turla APT group (also known as "Uroburos" and "Snake") and is written using the Microsoft .NET Framework, providing the threat actors with complete access to the compromised devices and the ability to remotely load plugins for additional capabilities. This trojan is a fully featured backdoor obfuscated using the open source packer ConfuserEx. Variations of Kazuar also target Mac and Linux operating systems. Its code is very organized and it uses different folders to store code for specific tasks. It communicates to C2 servers, most of which are hacked WordPress sites; exfiltrates data via HTTP, HTTPS, FTP, or FTPS; and executes shell commands on Windows via cmd.exe and on Linux via /bin/bash. Kazuar's C2 infrastructure allows the threat actors to ping the victim machine in order to send new instructions, allowing them to migrate C2 servers as well as bypass some security solutions that focus on outbound connections to suspicious domains.

Technical Details

  • Palo Alto Networks provides technical details on the Kazuar trojan, here.