The Turla advanced persistent threat group appears to have recently created both a new multiplatform backdoor malware program called Kazuar, and a MacOS version of its Uroburos espionage rootkit.
The Mac version of Uroburos, also known as Turla and Snake, was discovered by researchers at FOX-IT. In a blog post on Wednesday, the Netherlands-based cybersecurity firm reported that this new iteration, which was signed on February 21, is a port of the Windows version and contains debug functionalities. While the company suspects that this malware version is not yet operational, "Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets," the blog post warns.
First detected in 2014, the stealthy Turla malware framework can take control of infected machines, execute arbitrary commands, hide system activities, steal information from secure facilities and capture network traffic, and is widely assumed to be the product of a sophisticated Russian intelligence service.
The other new discovery, Kazuar, appears to be a possible alternative or replacement for Carbon, a second-stage backdoor often implanted in systems already compromised by Turla, which historically has targeted embassies, defense contractors, educational institutions, and research organizations, worldwide.
Researchers at Palo Alto Network's Unit 42 threat intelligence unit identified and analyzed Kazuar, a Microsoft .Net framework-based malware whose name translates to English as "cassowary," a kind of flightless bird. But while cassowaries are endemic to Oceania, Kazuar also appears to trace back to Russia, based on code and tools found in past Turla campaigns.
In a blog post on Wednesday, Palo Alto described Kazuar as giving actors total access to compromised systems, allowing adversaries to manipulate files, collect data, capture screenshots and webcam images and remotely load additional plug-ins that further enhance the trojan's abilities.
Some of Kazuar's commands contain checks that determine an infected machine's operating environment, suggesting that the tool is intended to work across Windows, Unix and Mac platforms. To further support its multiplatform theory, Palo Alto also notes that during its initialization process, the malware can follow one of four main paths of execution, including one that appears to be intended for Mac or Unix hosts.
Interestingly, the blog post notes that the malware includes a relatively unique capability that "is rarely seen in backdoors used in espionage campaigns: a remote API function that essentially "flips the communication flow between the Trojan and the C2 server," so that the C&C server can send requests directly to the trojan, rather than the malware initiating communications. According to Palo Alto, Kazuar's ability to listen for inbound HTTP requests from the C2 server turns it, for all intents and purposes, into a webserver.
"This is unusual because it's built for inbound communications for control rather than using outbound communications for control," Christopher Budd, senior threat communications manager at Palo Alto Networks, told SC Media. "Also exposing an API like this shows a degree of professional quality development."
"This communications flow is important if the compromised system is a remotely accessible server that may raise flags when initiating outbound requests," the blog post continues. "Also, by creating this type of API access, the threat actors could use one accessible server as a single point to dump data to and exfiltrate data from."
The C&C servers associated with Kazuar's appear to be compromised WordPress blogs, Palo Alto noted.