Secret Blizzard Upgrades Kazuar Backdoor to Modular P2P Botnet

The Russian hacker group Secret Blizzard, associated with Turla, Uroburos, and Venomous Bear and linked to the FSB, has transformed its Kazuar backdoor into a sophisticated modular peer-to-peer (P2P) botnet. This upgrade, observed in recent Kazuar variants, emphasizes long-term persistence, stealth, and enhanced data collection. Secret Blizzard, known for targeting government, diplomatic, and defense-related organizations across Europe, Asia, and Ukraine, has been utilizing Kazuar since 2017, with code lineage tracing back to 2005. The botnet now features three modules: Kernel, Bridge, and Worker, with 150 configuration options to customize security bypasses, task scheduling, and data exfiltration. This evolution presents a significant challenge for defenders due to Kazuar’s modularity and evasion capabilities.

Attack Chain

1. Initial Compromise: Secret Blizzard gains initial access to a target system through an undisclosed method.
2. Kazuar Deployment: The initial Kazuar backdoor is deployed on the compromised system.
3. Module Installation: The kernel, bridge, and worker modules are installed, establishing the botnet framework.
4. Kernel Module Leadership Election: The kernel module autonomously selects a “leader” within the compromised environment based on uptime, reboots, and interruption counts.
5. Silent Mode Activation: Non-leader systems enter “silent” mode, minimizing direct communication with the C2 server for stealth.
6. Bridge Module Communication: The elected kernel leader communicates with the bridge module, which acts as a proxy for external C2 communications over HTTP, WebSockets, or Exchange Web Services (EWS).
7. Worker Module Execution: The worker module performs espionage activities such as keylogging, screenshot capture, file system data harvesting, system/network reconnaissance, email data collection, window monitoring, and recent file theft.
8. Data Exfiltration: Collected data is encrypted, staged locally, and exfiltrated through the bridge module to the C2 server.

Impact

Secret Blizzard aims for long-term persistence on target systems to collect intelligence. The group exfiltrates documents and email content of political importance. Successful attacks lead to significant data breaches, compromising sensitive government, diplomatic, and defense-related information. The modular nature of Kazuar and its security bypass capabilities (AMSI, ETW, WLDP) make it highly evasive, increasing the risk of prolonged undetected presence within compromised networks.

Recommendation

• Focus on behavioral detection methods rather than static signatures due to Kazuar’s modular and configurable nature (Microsoft recommendation).
• Monitor for unusual network traffic patterns indicative of P2P botnet activity, specifically looking for internal communications using Windows Messaging, Mailslots, and named pipes (Attack Chain step 6).
• Deploy the Sigma rule “Detect Suspicious EWS Access” to identify potential C2 communications via Exchange Web Services (EWS) as described in the Attack Chain.
• Enable process monitoring and command-line logging to detect worker module activities like keylogging, screenshot capture, and data harvesting (Attack Chain step 7).
• Implement the Sigma rule “Detect Data Harvesting via Common Utilities” to identify potential data staging activity by the worker module before exfiltration.