GoKawiilThe Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection.
Secret Blizzard, whose activity overlaps that of Turla, Uroburos, and Venomous Bear, has been associated with the Russian intelligence service (FSB) and is known for targeting government and diplomatic organizations, defense-related entities, and critical systems across Europe, Asia, and Ukraine.
The Kazuar malware has been documented since 2017, and researchers found that its code lineage goes as far back as 2005. Its activity has been linked to the Turla espionage group working for the FSB.
In 2020, researchers exposed its deployment in attacks targeting European government organizations. Three years later, it was seen deployed in attacks against Ukraine.
“Leading” Kazuar
Microsoft researchers analyzed a recent variant of Kazuar and observed that the malware now operates using three distinct modules: kernel, bridge, and worker.
The Kernel module is the central coordinator that manages tasks, controls other modules, elects a leader, and orchestrates communications and data flow across the botnet.
The leader is essentially one infected system within a compromised environment or network segment, which communicates with the command-and-control (C2) server, receives tasks, and forwards them internally to the other infected systems.
Non-leader systems enter “silent” mode and don’t communicate directly with the C2. This results in better stealth and reduced detection surface.
“The Kernel leader is the one elected Kernel module that communicates with the Bridge module on behalf of the other Kernel modules, reducing visibility by avoiding large volumes of external traffic from multiple infected hosts,” explains Microsoft.
... continue reading