Security News > 2021 > January > Sunburst backdoor shares features with Russian APT malware
Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows shared features with Kazuar, a.NET backdoor tentatively linked to the Russian Turla hacking group.
Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack.
Samples of the Kazuar backdoor discovered in the wild since February 2020 when Sunburst was first deployed have been tweaked continuously with the similarities deepening towards November 2020 but, at the moment, the connection between the two is not yet known.
The features found to be overlapping in both Kazuar and Sunburst include the algorithm used to generate victim UIDs, the extensive usage of the FNV-1a hash throughout the malware, and the sleeping algorithm used by both backdoors.
Kaspersky found that the Sunburst and Kazuar developers were potentially aware of feature changes in each others' malware which points to a connection between the two given that Sunburst was only discovered in December 2020, after FireEye was breached in the SolarWinds supply-chain attack.
"We believe it's important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach."
News URL
Related news
- Russian charged by U.S. for creating RedLine infostealer malware (source)
- Uncle Sam outs a Russian accused of developing Redline infostealing malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware (source)
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service (source)
- The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal (source)