SolarWinds hack: Kaspersky experts find code similarities between Sunburst malware and Kazuar backdoor.
Kaspersky experts have found specific code similarities between Sunburst and known versions of the Kazuar backdoor. This type of malware allows remote access to a victim's computer. IT security researchers can use the new findings to help them analyze the attack.
In mid-December 2020, FireEye, Microsoft and SolarWinds announced the discovery of a large, highly complex supply chain attack that used the previously unknown malware 'Sunburst' against SolarWinds Orion customers.
Analysis reveals similarities
When analyzing the Sunburst backdoor, the security researchers at Kaspersky discovered a number of functions that overlap with those of the backdoor 'Kazuar' written in the .NET Framework. Kazuar was first described by Palo Alto in 2017 and credited to APT actor Turla, who used this backdoor in cyber espionage attacks around the world. Several similarities in the code suggest a connection between Kazuar and Sunburst, albeit of an as yet undetermined nature.
The similarities between Sunburst and Kazuar include the UID (User Identifier), generation algorithm, the sleep algorithm and the extensive use of the FNV1a hash .. According to the experts, these code fragments are not 100 percent identical, which suggests that Kazuar and Sunburst could be related, although the nature of that relationship is not yet entirely clear.
Kazuar is similar to sunburst
After the Sunburst malware was first deployed in February 2020, Kazuar has evolved, and later 2020 variants are even more similar to Sunburst in some ways. Over the years of Kazuar development, the experts at Kaspersky have seen a continuous evolution, adding significant features similar to Sunburst. These similarities can have different reasons, for example that Sunburst was developed by the same group as Kazuar, or that the Sunburst developers used Kazuar as a template, or that a Kazuar developer switched to the Sunburst team, or that the two groups behind Sunburst and Kazuar each obtained their malware from the same source.
Who is behind the Solarwinds attack?
"The connection we found does not reveal who was behind the Solarwinds attack, but it does provide additional insights that can help researchers advance this analysis," explains Costin Raiu, head of the Global Research and Analysis Team (GReAT) at Kaspersky. “We believe it is important that other researchers around the world investigate these similarities and are trying to find out more about Kazuar and the origin of the sunburst malware that was used against Solarwinds. In the case of the WannaCry attack, for example, there were very few facts in the first few days that connected it to the Lazarus group. Over time, however, we found more evidence that allowed us and others to link them with one another with a high probability. Further analysis of such attacks is crucial to get a more complete picture. "
More on this at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/