APT Turla - Kazuar (MacOS Version of Uroburos Espionage Rootkit)
Malware researchers have found a new backdoor malware called Kazuar, and it functions in MacOS version of Uroburos espionage rootkit. The actor behind this malware is infamous APT actor called Turla APT (Advanced Persistent Threat) actor.
Uroburos has been nurtured by Turla since 2014 to executed commands in the infected system aka zombie systems. In 2014, GDATA published paper on Uroburos and it was titled as Uroburos Highly complex espionage software with Russian roots. We recommend the readers to go through the paper which gives lot of information on the espionage by reverse engineering with deep dissection cuts.
|GDATA Paper on Uroburos|
The Uroburos rootkit is composed of two files, a driver and an encrypted virtual file system. The Mac version of Uroburos known as Snake, Turla and Agent.BTZ is a sophisticated malware framework employed in targeted attacks.
|Analysis of Uroburos by GDATA|
Snake was discovered by researchers at Netherlands-based cyber security firm FOX-IT. Experts state that this new variant dubbed Snake is a port of the Windows version and contains debug functionalities. Kazuar is suspected to be a replacement for the second stage backdoor Carbon, implanted in systems already compromised by Turla. Kazuar is a Microsoft .NET framework based Trojan that grants actors complete access to compromised systems targeted by its operator.
Post made by