APT Turla - Kazuar (MacOS Version of Uroburos Espionage Rootkit)


Malware researchers have found a new backdoor malware called Kazuar, and it functions in MacOS version of Uroburos espionage rootkit. The actor behind this malware is infamous APT actor called Turla APT (Advanced Persistent Threat) actor.

Uroburos Dragon


Uroburos has been nurtured by Turla since 2014 to executed commands in the infected system aka zombie systems. In 2014, GDATA published paper on Uroburos and it was titled as Uroburos Highly complex espionage software with Russian roots. We recommend the readers to go through the paper which gives lot of information on the espionage by reverse engineering with deep dissection cuts.
GDATA Paper on Uroburos



 The Uroburos rootkit is composed of two files, a driver and an encrypted virtual file system. The Mac version of Uroburos known as Snake, Turla and Agent.BTZ is a sophisticated malware framework employed in targeted attacks.


Analysis of Uroburos by GDATA


Rootkit Framework






 Snake was discovered by researchers at Netherlands-based cyber security firm FOX-IT. Experts state that this new variant dubbed Snake is a port of the Windows version and contains debug functionalities. Kazuar is suspected to be a replacement for the second stage backdoor Carbon, implanted in systems already compromised by Turla. Kazuar is a Microsoft .NET framework based Trojan that grants actors complete access to compromised systems targeted by its operator.






Post made by
newWorld

Comments

Gabe Co Hadwin said…
Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from .Net Core Training in Chennai. or learn thru .Net Core Training in Chennai. Nowadays Dot Net has tons of job opportunities on various vertical industry.
or Es6 Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.
newworld said…
Thanks for your comment.
Keep watching our space.
We will try to bring more contents here!!!
john kevin said…
It’s always so sweet and also full of a lot of fun for me personally and my office colleagues to search your blog a minimum of thrice in a week to see the new guidance you have got.

java training in bangalore

Popular Posts