Cybersecurity researchers, have found a potential connection between the backdoor used in the SolarWinds hack to a previously known malware strain, several features that overlap with another backdoor known as Kazuar, a .NET-based malware first documented by Palo Alto Networks in 2017.

The campaign was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed “Sunburst.”

Similarities of Sunburst and Kazuar

Attribution for the SolarWinds supply-chain compromise has been difficult in part due to little-to-no clues linking the attack infrastructure to previous campaigns or other well-known threat groups.

Sunburst backdoor has revealed a number of shared features between the malware and Kazuar.

  • Both Sunburst and Kazuar were developed by the same threat group
  • The adversary behind Sunburst used Kazuar as an inspiration
  • The groups behind Kazuar (Turla) and Sunburst (UNC2452 or Dark Halo) obtained the malware from a single source
  • The developers of Kazuar moved to another team, taking their toolset with them, or
  • The Sunburst developers deliberately introduced these links as “false flag” to shift blame to another group

The similarities between the two malware families include the use of a sleeping algorithm to stay dormant for a random period between connections to a C2 server, the extensive usage of the FNV-1a hash to obfuscate the malicious code, and the use of a hashing algorithm to generate unique victim identifiers. Kazuar randomly selects the sleeping period while Sunburst selects on equal 10 day intervals

Kazuar’s Links to Turla

Kazuar is a fully featured backdoor written using the .NET Framework and relies on a command-and-control (C2) channel to allow actors to interact with the compromised system and exfiltrate data.

Kazuar appears to have undergone a complete redesign with a new keylogger and password-stealing functions added to the backdoor that’s implemented in the form of C2 server command.

While it’s normal for threat actors to keep updating their toolset and introduce features designed to bypass endpoint detection and response (EDR) systems,

Suspecting the SolarWinds attack might be discovered, the Kazuar code was changed to resemble the Sunburst backdoor as little as possible.

CISA Advisory

An adversary “likely Russian in origin” for staging the SolarWinds hack. Initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services.

These code overlaps between Kazuar and Sunburst are interesting and represent the first potential identified link to a previously known malware family. The relationship is not clear. But the Sunburst developers are clever for not leaving any traces of attack