Security News > 2021 > January > Sunburst backdoor shares features with Russian APT malware
Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows shared features with Kazuar, a.NET backdoor tentatively linked to the Russian Turla hacking group.
Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack.
Samples of the Kazuar backdoor discovered in the wild since February 2020 when Sunburst was first deployed have been tweaked continuously with the similarities deepening towards November 2020 but, at the moment, the connection between the two is not yet known.
The features found to be overlapping in both Kazuar and Sunburst include the algorithm used to generate victim UIDs, the extensive usage of the FNV-1a hash throughout the malware, and the sleeping algorithm used by both backdoors.
Kaspersky found that the Sunburst and Kazuar developers were potentially aware of feature changes in each others' malware which points to a connection between the two given that Sunburst was only discovered in December 2020, after FireEye was breached in the SolarWinds supply-chain attack.
"We believe it's important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach."
News URL
Related news
- Space Pirates Targets Russian IT Firms With New LuckyStrike Agent Malware (source)
- Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations (source)
- Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants (source)
- YouTube Game Cheats Spread Arcane Stealer Malware to Russian-Speaking Users (source)
- China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families (source)