okay so hello everybody and thank you for joining our talk today we are going to share with you some unique insights about one of the most sophisticated Espionage tools in the world the Kazo our back door but before we begin let us introduce ourselves I don't need the clicker um hi everyone so my name is Daniel Frank I'm the team lead of Cortex threat research um um and it's actually my second time in Sweden so I'm really excited being here so thank you for having me I also work with this guy and my name is Tom fman I'm a senior threat researcher for the cortex threat research team in paloalto networks and this is my second time presenting here so this is really exciting so thank you for having me back so what do we have for you today we will start with some background about this malware and all the operations behind it after that we will dive into our analysis of Kazar and see what kind of challenges we Face trying to pick apart this malware we'll talk about its architecture and core functionality what cool stuff it can do after that we'll talk about how to catch a Kazar basically what can we do to detect it and for the end we will leave you with some key takeaways that we have from this research so let's begin so let's start with some background about Kazar and all the operations behind it Kazar was initially discovered by unit 42 in 2017 it is an advanced and stealy net backdoor and since its initial Discovery it was only observed to be used in very selective Espionage operations that mostly targeted organizations in the European government and Military sectors now Kazar is known to be part of the Arsenal of tools of a Russian AP group known as TLA or as we TR it in unit 42 pensive Ursa the US government attributes the activ the activities of TLA to a unit within the Russian Federal Security Service or FSB for short basically this group is considered to be one of the most advanced hacking groups in the world and since its initial Discovery Kazar has remained under constant development but since 2021 there was a 2-year period where it was not not seen in the wild and let me give you just one fun fact about Kazar Kazar is a Russian World for Cas which is a large flightless bird that is native to Australia so if any of you wondered how a Kazar actually looks like here is a picture now our Story begins in July of 2023 the Ukrainian s published a report that described targeted attacks against Defense Forces for the the purpose of Espionage and in this report they describe the use of two main malware the first one is named capy bar which is an exchange server back door and the second one is a new variant of Kazar and as you have all realized today we are talking about the latter and in this report they attributed those attacks to be the work of TLA so when we first read this report as a research team we were really excited to get our hands on this new variant to try and pick it apart so we tried to search if we can get our hands on this new sample but unfortunately for us it was not uploaded to VT or anywhere else for that matter it was not publicly available which made us really sad but maybe stars or a line just right in the sky because we got kind of Lucky and we actually managed to find that very sample in our own internal Telemetry which of course made us really excited so we immediately started to analyze this new variant of Kazar and very quickly we were pretty amazed with what we're dealing with for example we saw very impressive host data collection capabilities which will expand more upon later but basically it can collect everything from the infected machine it can receive a it has a unique set of 45 commands it can receive from the C2 it can use several different techniques for anti-analysis and evasion it has layers of encryption and of fusc and many many more cool stuff that it can do so now without further Ado let me pass the stage to Daniel to talk to about our analysis of Kazar uh thanks Tom so obviously when dealing with such a robust and such a complex malware we had to face some challenges in analyzing it right it like couldn't be that easy so let's review this challenges first of all a lot of code this was quite a big sample uh in terms of malware so we had thousands of lines of code and and you know like code lines and classes and whatnot and of course nothing was just like plain text everything was uh the strings were were fiscated the variables and classes named did not have any meaningful names whatsoever so it was just like a whole big chaos and on top of that um the ker authors implemented multiple encryption algorithms so we also hate to face the challenge of trying to um decrypt different data from dis so um starting to actually solve these challenges we kind of uh took the approach from going from the easiest challenge to the most uh you can say difficult challenge so in terms of ausc the C are authors um implemented a really simple Caesar Cipher which is uh as most of you probably know it's basically just swapping one letter uh for another but what they did was implementing um hundreds of different um scissor Cipher instances so it was really annoying um but uh what we did was we opened um the malware it's a net malware we opened it in dnspy extracted all of these um C source code files and then uh we wrote the script that just located all of these instances of the cissors cipher and just rewrote it straight into the source code files rewrote the result and what we were started to see in this point was mainly casuals really um verbos logs so we started understanding a little bit what the Mal was doing second thing was and this was more of a manual labor was renaming classes and methods so this is an example for a method that handles encryption of some sort and as you can see there are no meaningful names except the um Library functions so what we did was we just uh opened the whole project in a vs code we installed the star plugin and the star plugin allowed us to change uh these names uh in bulks I mean like when we did one change it computed all of the cross references and then then um it renamed all of the remaining instances of this method or another as well so we were able to get from what you see on the upper left hand side which you see on the bottom right hand side and continue um and understand the functionality um of the malware and keep renaming and renaming these um these methods um last but not least this is an example of how a log file I think of casar looks like on disk so we also of course had to either intercept the encryption process or just understand the algorithm in decrypted from dis and to get from this um to this once we were able to do that we had another interesting glimpse of how well organized the code is and how the cazer authors logged all of their activity you can see that they documented the thread name the execution time um where the malor was injected to etc etc so it was really cool to see and this is an example of a card decrypted configuration file so the configuration file provided us with some really valuable insights for example the internal versioning of the malware um the C2 servers the injection modes which we'll talk about in a second um features that were enabled or disabled and other interesting and valuable data the next thing I would like to talk about is kar's architecture so as I said um really professional um software engineering principles were implemented in in the malware it was really cool to see and I would like to review um some of them so what are these injection modes so Kazar has six distinct um what we called um and they called as well actually injection modes um so each injection mode is basically responsible on a couple of things so first of all um what process should kazor be injected to so kazor um is a really stealthy malware it doesn't operate as a Standalone executable it is like every time um it is um it's just being injected to this process um or another and Kazar has also the ability to either communicate with the command and control server using HTTP or um communicate with other KAS nodes on the network via named pipes so the injection mode also kind of decides which feature is turned on or off Tom will later um talk about these HTTP and and proxy modes and what other General functionality should be turned on or off each injection mode had its own unique um features also uh the cazer authors implemented um a multi trending model uh to obviously handle a lot of tasks um simultaneously so they again really organized renamed um named sorry um each each thread um and the kind of each each thread was kind of responsible of um of a major operation that was taking place um on the infected device so they had event log monitoring um an anti-analysis thread and also the active window monitoring thread which they I don't know it was a little bit funny to me that they called it peep um took a time to figure out what what this thread was um doing and maybe um you're Miss maybe you notice that we're missing two um two uh other threads so these are kind of of the backbone of cazar these are the task solver and the sender threads so these two threads are responsible of sending data to the author's command and control server and receiving what Cas authors called new tasks um just new things to do on Infected device from its operators execute commands download files or whatever they feel like doing and if we will Deep dive a little bit into this task solving mechanism so we you will see first of all the components which is the command and control server the sender and solver threads um a task file and the results file both both are uh encrypted obviously so how it works is um pretty simple the sender thread reads a new task from the command and control server writes task into a task file then the task solver thread waits for these new files to be written it will read the task execute whatever desired command it received from the the task file write an encrypted results file then add another layer of of encryption to this file and send it back to the to the C2 cool now allow me to geek out for a second because I think this is the right conference to do so so this um this is like in general how a kasar results file looks like they have sort of a delimiter a unique identifier uh uad lengthened content which are also encrypted Kazar uses um different manipulations on the machine's uuid to create different encryption keys and different identifiers and it uses a sort of um hybrid encryption it encrypts the task using um AES but it also encrypts the As and the initiation Vector using a hardcoded RSA key so yeah now looking at this task solving mechanism we we kind of noticed that this looks familiar so different reports by cisa and other um other vendors as well um said that kazaar is the successor of carbon so carbon is another back door that was previously uh previously U discovered in 2017 as well and cisa mentioned that Carbone is a fork of snake I don't know how many of you read um the like it was really big reported in 2023 about the snake malware it was a really super sophisticated malware by TLA um so in terms of attribution it was really cool for us to see um all of these similarities and see for ourselves like how Kazar is similar to Carbone and Carbone is a fork of snake and like seeing um this really cool developmental process by the thread actors now I would like to pass the stage back to Tom to talk about some core functionality thank you Danielle okay so we talked to about kar's architecture and its layers of encryption of fation now let's see what other cool stuff it can do so the 2017 variant of Kazar had a list of 26 hardcoded commands the variant we are talking about today has a list of 45 hardcoded commands this is just one example of the efforts TLA puts into continuously developing their malware across the years now as there are so many different commands we organize them into different categories so it's easier to track it has a lot of uh capabilities to collect host data and forensic data from the machine it can manipulate files it can execute scripts any way you would like VBS poell JavaScript can create custom Network requests and one of its powers I want to highlight lies in its information steering capabilities under kaz's information stealing capabilities there are two main commands which are referred to in the code as the steel command and the anend command by using the steel command the attackers are able to Target a variety of different applications to Steel passwords dozens of different browsers they can choose to Ste a bookmarks history cookies and two not worthy not worthy applications they target here are signal and git and as you realize they may contain some very sensitive data the second command I mentioned is referred to in the code as the unattend command and it looks like the attackers gave it this name because of the first option under the command which is to steal unattend.xml files these are windows configuration files which sometimes may contain passwords but the really interesting aspect of this command is all the different Cloud applications it enables the target the attackers to Target this really shows us the growing interest of threat actors in these kind of platforms I mean if an attacker can get access to Google cloud or AWS they now have access to tons of data not to mention all of these sensitive servers now there is another aspect of Kazar that really impressed me personally during our analysis when Kazar is executed it runs a task which is referred to in the code as first system info we managed to extract the output of this task and see the log file is being sent to the C2 and inside this log file we saw that it send operating system information and system boot events and user information and Hardware information and more and more and more and more and honestly all of this is not even half of the log file it sends to the C2 and because I can't fit it all on the screen as you can see I really tried here here is a s it of the list of artifacts it collects from the infected machine to the C2 and the thing is it doesn't even stop here if the attackers would like they could use a forensics command to query for various forensic artifacts from the infected machine or they could use the aoran command to see if there is other Mal that may be infecting the same machine during our analysis when I saw all of those capabilities I said to Daniel that I feel that if TLA really wanted to they can Market Kazar is a great incidence response tool okay so we see that it collects a bunch of data how is it being xrated in order to communicate with a C2 Kazar is able to use two main methods which are determined by the injection mode Daniel talked about earlier the first method is via HTTP all the data is encrypted encoded and it's been sent to the C2 now the interesting aspect of the HTTP request lies in the cookie Kazar uses a hardcoded cookie value which appears to not have been changed across several variants across several years so this is one of several very good detection opportunities we have to try and catch Kazar the second method Kazar is able to use is a as we refer to it proxy mode basically Kazar is able to send commands to other Kazar implants in the network via named pipes so let's try to visualize how a network infected with Kazar would look like we have rc2 that communicates with a Kazar implant via HTP it can receive data it can send commands now if the attackers would like they could use this Kaz implant as a proxy to send commands to other Kazar implants all over the network so now the attackers are able for example bypass firewalls as all of the communication is now internal and we can't just find infected machines by searching for communication to aous domain so again most of the Kazar implants do not directly communicate with the C2 so by using this approach T is able to greatly enhance the STS of their operations and remain undetected sometimes even for years okay there is one last aspect of Kazar that I want to highlight and it's anti-analysis Kazar is able to use several different techniques for anti-analysis some are basic and some are more advanced first we see that it specifically checks for a kasperski hyot it looks for the existence of several specific file names both in English and in Russian next it does some very common checks like different analysis tools and different sandbox modules and one very unique check that we saw is event log monitoring Kazar monitors events for several specific antivirus products probably so the attackers can tell if they ever get caught by one of these products and one very uh check that we found pretty cool is or technique is anti-dumping Kazar code is composed of a combination of net Library methods and custom methods which were created by the authors of the malware now when Kazar is running it in memory it goes over the references to all it methods and if it is a reference to a net Library method it will keep it as is but if it say a reference to a custom method it will wipe the reference so now if we try to dump Kazar from memory and analyze the code This way everything is going to be messed up and our job will be a lot harder okay this is it for me geeking out about Kazar capabilities so I'll pass the stage to Daniel one last time to talk to you about how to catch a Kazar uh thank you Tom so how do you catch a Kazar because it's a really scary bird um but in terms of Behavioral detection opportunities so first of all uh One technical thing we did not mention is that Kar stores its log path and its log files um and chooses where to where to do it from a hardcoded list of directories and these are really funny looking folders so this is just one detection opportunity to see to check for um for folder creation inside of one of these paths and say similar um is the code injection part so cazer also has a hardcoded process list eventually and it will be injected to one of these processes so if if you have um these weird folders and if um you can detect code injection um in one of these browsers you might have K are running in your machine so bad luck uh I guess um and in terms of uh network communication so Tom mentioned the hardcoded cookie so kazor uses this string as a cookie for at least one in9 and I believe it might have been even um used even earlier than 20 uh than 2019 and as other malwares when kazor exfiltrate data it obviously sends these really long uh post requests um and on top of that they also use these randomly generated uh XML tags on top of these post requests so if you combine these two I think you can even with a higher certainty um determine then that this is indeed uh a packet of Kazar and finally um I would like to leave you with some some key takeaways that um we learn from our research and would like to share with you so first of all um it is a state-of-the-art malware it's a kind of a real life cyber Warfare tool and as researchers it was really really cool for us to dissect it and analyze it and see like how the bad guys and sophisticated bad guys are using it um in real time second takeaway is that similar to other um developers like both malicious and just like regular developers um the authors kept um kept adapting to current Technologies so as Tom mentioned this variant really focuses on stealing data from signal and from cloud applications um all of the and also from from Source control so all of these Technologies are really relevant uh for today as you probably know so the authors knew like where to go to and what data to steal and finally even though Kazar is designed for stealth um as we saw in previous slides um detection and prevention is still possible is it is although difficult it is still still a detectable malware so not everything is lost that's it from us um thank you for attending our talk of course this was just the tip of the iceberg in terms of um the malware analysis I strongly encourage you to go and read our blog um and yeah that's it thank you thank you so much