Researchers have spotted notable code overlap between the Sunburst backdoor & a known Turla weapon.
New details on the Sunburst backdoor used in the sprawling SolarWinds supply-chain attack potentially link it to previously known activity by the Turla advanced persistent threat (APT) group.
Researchers at Kaspersky have uncovered several code similarities between Sunburst & the Kazuar backdoor. Kazuar is a malware written using the .NET framework that was 1st reported by Palo Alto in 2017 (though its development goes back to 2015).
It has been spotted as part of cyber-espionage attacks across the globe, according to Kaspersky. Researchers there outlined it has been consistently used together with known Turla tools during multiple breaches in the past 3 years.
Turla (a.k.a. Snake, Venomous Bear, Waterbug or Uroboros), is a Russian-speaking threat player known since 2014, but with roots that go back to 2004 & earlier, according to previous research from Kaspersky.
The overlapping features between Sunburst & Kazuar include a sleeping algorithm; the extensive usage of the FNV-1a hash; & the algorithm used to generate unique IDs (UIDs) for victims.
“After the Sunburst malware was 1st deployed in Feb. 2020, Kazuar continued to evolve & later 2020 variants are even more similar, in some respects, to Sunburst,” the firm noted in an analysis published on Mon.
“Overall, during the years of Kazuar’s evolution, the experts observed continuous development, in which significant features bearing resemblance to Sunburst were added.”
The report added that while none of these algorithms or implementations are unique, the presence of 3 distinct overlaps caught researchers’ attention:
“One coincidence wouldn’t be that unusual, 2 coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.”
Researchers cautioned that the code fragments are not completely identical – leaving several possible reasons for the overlap.
“While these similarities between Kazuar & Sunburst are notable, there could be a lot of reasons for their existence, including Sunburst being developed by the same group as Kazuar [Turla], Sunburst’s developers using Kazuar as inspiration, a Kazuar developer moving to the Sunburst team, or both groups behind Sunburst & Kazuar having obtained their malware from the same source,” according to the report.
Malware often employs a snooze function, where it goes dormant for a specified amount of time after installation or in-between activity in order to avoid security controls & make its network traffic less obvious.
Both Kazuar & Sunburst have implemented such a delay between connections to their command-&-control (C2) servers, in very similar ways.
“Kazuar calculates the time it sleeps between 2 C2 server connections as follows: it takes two timestamps, the minimal sleeping time & the maximal sleeping time, & calculates the waiting period with this formula: generated_sleeping_time = sleeping_timemin + x (sleeping_timemax – sleeping_timemin).”
In the formula, “x” is a random number ranging from 0 to 1 obtained by calling the NextDouble method, while “sleeping_timemin” & “sleeping_timemax” are obtained from the C2 configuration. Sunburst uses the exact same formula to calculate sleeping time, only with a less complex code.
“By default, Kazuar chooses a random sleeping time between 2 & 4 weeks, while Sunburst waits from 12 -14 days,” according to the analysis, which also noted that such long sleep periods in C2 connections are not very common for typical APT malware. “Sunburst, like Kazuar, implements a command which allows the operators to change the waiting time between 2 C2 connections.”
FNV-1a Hashing Algorithm
Sunburst & Kazuar both use the FNV-1a hashing algorithm extensively throughout their code, Kaspersky researchers noted.
A modified 32-bit FNV-1a hashing algorithm has been used by the Kazuar shellcode since 2015 to resolve APIs, researchers commented, while a modified 64-bit version of FNV-1a was implemented in Kazuar versions found in 2020.
The latter adds an extra step: after the hash is calculated, it is XORed with a hardcoded constant. This change is also seen in Sunburst’s 64-bit FNV-1a hashing algorithm, researchers noted, though the constant itself is different between Kazuar & Sunburst.
“This hashing algorithm is not unique to Kazuar and Sunburst,” researchers said. “However, it provides an interesting starting point for finding more similarities.”
In order to generate unique strings across different victims, such as client identifiers, mutexes or file names, both Kazuar & Sunburst use a hashing algorithm which is different from their otherwise pervasive FNV-1a hash: A combination of MD5+XOR.
Kazuar uses an algorithm which accepts a string as input, according to Kaspersky. To derive a unique string, the backdoor gets the MD5 hash of the string & then XORs it with a 4-byte unique “seed” from the machine.
The seed is obtained by fetching the serial number of the volume where the operating system is installed.
“An MD5+XOR algorithm can also be found in Sunburst,” researchers explained. “However, instead of the volume serial number, it uses a different set of information as the machine’s unique seed, hashes it with MD5 then it XORs the 2 hash halves together into an 8-bytes result.”
This information set includes the 1st adapter MAC address, the computer domain & machine GUID.
US Federal Govt. Depts.
The sprawling SolarWinds espionage attack is known to have affected up to 10 US Federal Govt. depts., Microsoft, FireEye & dozens of others so far.
Sunburst, a.k.a. Solorigate, is the malware used as the tip of the spear in the campaign, in which adversaries were able to use SolarWinds’ Orion network management platform to infect targets.
It was put out via trojanised product updates to almost 18,000 organisations globally, starting 9 months ago. With Sunburst embedded, the attackers have since been able to pick & choose which organisations to further penetrate.
Turla or Not Turla
Further exploitation by the unknown advanced persistent threat (APT) group, dubbed UNC2452 or DarkHalo by researchers, involves installing more malware, installing persistence mechanisms & exfiltrating data, says Kaspersky.
Is that threat group actually Turla? “It is a complex cyberattack platform focused predominantly on diplomatic & government-related targets, particularly in the Middle East, Central & Far East Asia, Europe, North & South America, & former Soviet bloc nations,” according to the firm.
The group is also known for its custom espionage toolset that is in a constant state of development. In Nov. Kazuar added fresh spying features, including a keylogger & a password stealer which can fetch browser history data, cookies, proxy server credentials &, most importantly, passwords from internet browsers, Filezilla, Outlook, Git & WinSCP. It also gets vault credentials.
Kaspersky researchers cautioned that while the evidence of collaboration is compelling, the seeming links between Turla & Sunburst should be taken with a grain of salt. For instance, there is the possibility that Kazuar ‘false flags’ were deliberately introduced into Sunburst – a tactic that was famously seen in the Olympic Destroyer wiper attack.
“A sample of Kazuar was released before Sunburst was written, containing the modified 64-bit hash function, & went unnoticed by everyone except the Sunburst developers,” researchers noted. “In this case, the Sunburst developers must have been aware of new Kazuar variants.
Obviously, tracing all modifications of unknown code is quite a difficult & tedious task since Kazuar’s developers are constantly changing their code as well as the packing methods, thus making it harder to detect the backdoor with YARA rules & Kazuar samples (especially the new ones) quite rarely appear on VirusTotal.”
The extra XOR after the hash was introduced in the 2020 Kazuar variants after it had appeared in Sunburst, researchers commented.
“The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation,” suggested Costin Raiu, Director of Kaspersky’s Global Research & Analysis Team, in a media statement.
“Judging from past experience, for instance, looking back to the WannaCry attack, in the early days, there were very few facts linking it to the Lazarus group.
In time, more evidence appeared & allowed us, & others, to link them together with high confidence. Further research on this topic will be crucial for connecting the dots.”