Security News > 2021 > January > Sunburst backdoor shares features with Russian APT malware

Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows shared features with Kazuar, a.NET backdoor tentatively linked to the Russian Turla hacking group.

Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack.

Samples of the Kazuar backdoor discovered in the wild since February 2020 when Sunburst was first deployed have been tweaked continuously with the similarities deepening towards November 2020 but, at the moment, the connection between the two is not yet known.

The features found to be overlapping in both Kazuar and Sunburst include the algorithm used to generate victim UIDs, the extensive usage of the FNV-1a hash throughout the malware, and the sleeping algorithm used by both backdoors.

Kaspersky found that the Sunburst and Kazuar developers were potentially aware of feature changes in each others' malware which points to a connection between the two given that Sunburst was only discovered in December 2020, after FireEye was breached in the SolarWinds supply-chain attack.

"We believe it's important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach."

News URL

https://www.bleepingcomputer.com/news/security/sunburst-backdoor-shares-features-with-russian-apt-malware/