New details on the Sunburst backdoor used in the sprawling SolarWinds supply-chain attack potentially link it to previously known activity by the Turla advanced persistent threat (APT) group.
Researchers at Kaspersky have uncovered several code similarities between Sunburst and the Kazuar backdoor. Kazuar is a malware written using the .NET framework that was first reported by Palo Alto in 2017 (though its development goes back to 2015).
It has been spotted as part of cyberespionage attacks across the globe, according to Kaspersky. Researchers there said it has been consistently used together with known Turla tools during multiple breaches in the past three years. Turla (a.k.a. Snake, Venomous Bear, Waterbug or Uroboros), is a Russian-speaking threat actor known since 2014, but with roots that go back to 2004 and earlier, according to previous research from Kaspersky.
The overlapping features between Sunburst and Kazuar include a sleeping algorithm; the extensive usage of the FNV-1a hash; and the algorithm used to generate unique IDs (UIDs) for victims.
“After the Sunburst malware was first deployed in February 2020, Kazuar continued to evolve and later 2020 variants are even more similar, in some respects, to Sunburst,” the firm noted in an analysis published on Monday. “Overall, during the years of Kazuar’s evolution, the experts observed continuous development, in which significant features bearing resemblance to Sunburst were added.”
The report added that while none of these algorithms or implementations are unique, the presence of three distinct overlaps caught researchers’ attention: “One coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.”
That said, researchers cautioned that the code fragments are not completely identical – leaving several possible reasons for the overlap.
“While these similarities between Kazuar and Sunburst are notable, there could be a lot of reasons for their existence, including Sunburst being developed by the same group as Kazuar [Turla], Sunburst’s developers using Kazuar as inspiration, a Kazuar developer moving to the Sunburst team, or both groups behind Sunburst and Kazuar having obtained their malware from the same source,” according to the report.
Sleeping Algorithm
Malware often employs a snooze function, where it goes dormant for a specified amount of time after installation or in-between activity in order to avoid security controls and make its network traffic less obvious.
Both Kazuar and Sunburst have implemented such a delay between connections to their command-and-control (C2) servers, in very similar ways.
“Kazuar calculates the time it sleeps between two C2 server connections as follows: it takes two timestamps, the minimal sleeping time and the maximal sleeping time, and calculates the waiting period with [this] formula: generated_sleeping_time = sleeping_timemin + x (sleeping_timemax – sleeping_timemin).”
In the formula, “x” is a random number ranging from 0 to 1 obtained by calling the NextDouble method, while “sleeping_timemin” and “sleeping_timemax” are obtained from the C2 configuration. Sunburst uses the exact same formula to calculate sleeping time, only with a less complex code.
“By default, Kazuar chooses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days,” according to the analysis, which also noted that such long sleep periods in C2 connections are not very common for typical APT malware. “Sunburst, like Kazuar, implements a command which allows the operators to change the waiting time between two C2 connections.”
The FNV-1a Hashing Algorithm
Sunburst and Kazuar both use the FNV-1a hashing algorithm extensively throughout their code, Kaspersky researchers noted.
A modified 32-bit FNV-1a hashing algorithm has been used by the Kazuar shellcode since 2015 to resolve APIs, researchers said, while a modified 64-bit version of FNV-1a was implemented in Kazuar versions found in 2020. The latter adds an extra step: after the hash is calculated, it is XORed with a hardcoded constant. This change is also seen in Sunburst’s 64-bit FNV-1a hashing algorithm, researchers noted, though the constant itself is different between Kazuar and Sunburst.
“This hashing algorithm is not unique to Kazuar and Sunburst,” researchers said. “However, it provides an interesting starting point for finding more similarities.”
UID Algorithm
In order to generate unique strings across different victims, such as client identifiers, mutexes or file names, both Kazuar and Sunburst use a hashing algorithm which is different from their otherwise pervasive FNV-1a hash: A combination of MD5+XOR.
Kazuar uses an algorithm which accepts a string as input, according to Kaspersky. To derive a unique string, the backdoor gets the MD5 hash of the string and then XORs it with a four-byte unique “seed” from the machine. The seed is obtained by fetching the serial number of the volume where the operating system is installed.
“An MD5+XOR algorithm can also be found in Sunburst,” researchers explained. “However, instead of the volume serial number, it uses a different set of information as the machine’s unique seed, hashes it with MD5 then it XORs the two hash halves together [into an eight-bytes result].”
This information set includes the first adapter MAC address, the computer domain and machine GUID.
Turla or Not Turla – Jury is Out
The sprawling SolarWinds espionage attack is known to have affected up to 10 federal government departments, Microsoft, FireEye and dozens of others so far.
Sunburst, a.k.a. Solorigate, is the malware used as the tip of the spear in the campaign, in which adversaries were able to use SolarWinds’ Orion network management platform to infect targets. It was pushed out via trojanized product updates to almost 18,000 organizations around the globe, starting nine months ago. With Sunburst embedded, the attackers have since been able to pick and choose which organizations to further penetrate.
Further exploitation by the unknown advanced persistent threat (APT) group, dubbed UNC2452 or DarkHalo by researchers, involves installing more malware, installing persistence mechanisms and exfiltrating data, according to Kaspersky.
Is that threat group actually Turla? “It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America, and former Soviet bloc nations,” according to the firm.
The group is also known for its custom espionage toolset that is in a constant state of development. For instance, in November Kazuar added fresh spying features, including a keylogger and a password stealer which can fetch browser history data, cookies, proxy server credentials and, most importantly, passwords from internet browsers, Filezilla, Outlook, Git and WinSCP. It also gets vault credentials.
Kaspersky researchers cautioned that while the evidence of collaboration is compelling, the seeming links between Turla and Sunburst should be taken with a grain of salt. For instance, there is the possibility that Kazuar false flags were deliberately introduced into Sunburst – a tactic that was famously seen in the Olympic Destroyer wiper attack.
“A sample of Kazuar was released before Sunburst was written, containing the modified 64-bit hash function, and went unnoticed by everyone except the Sunburst developers,” researchers noted. “In this case, the Sunburst developers must have been aware of new Kazuar variants. Obviously, tracing all modifications of unknown code is quite a difficult and tedious task [since] Kazuar’s developers are constantly changing their code as well as the packing methods, thus making it harder to detect the backdoor with YARA rules [and] Kazuar samples (especially the new ones) quite rarely appear on VirusTotal.”
That said, the extra XOR after the hash was introduced in the 2020 Kazuar variants after it had appeared in Sunburst, researchers said.
“The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation,” said Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, in a media statement. “Judging from past experience, for instance, looking back to the WannaCry attack, in the early days, there were very few facts linking it to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic will be crucial for connecting the dots.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.