Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Small Medium Enterprise
Health
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Moonlight Maze: the first APT Group in history?
It is 1996. Telefónica has just launched InfoVía, a project that allows you to connect to something called the internet through your telephone by dialling 055. This was the internet where the World Wide Web had only been introduced in 1993, and where almost everything was different.
Because, yes, dark manoeuvres have always existed, and always will. In that year, 1996, a pair of cyber espionage groups associated (theoretically) with the two superpowers of the time, Russia and the United States, demonstrated with little hesitation just how easy it was to roam freely across an entirely new cyber world.
While Equation Group and its operations were linked to the NSA, another group (indeed, the first one) left very little trace and operated in line with the interests of the other global power.
This group, often classified as the first of its kind, spent years causing alarm across the US administration and its military agencies without anyone knowing who they were or where they came from. In 1998, the FBI and the Department of Defense (DoD) published a forensic investigation that uncovered evidence linking the group to Russia. This led to a hearing before the US Congress that brought the story to public attention (bearing in mind how novel this type of information was at the time).
Source: Kaspersky
The news was revolutionary. It was a return to Cold War spy stories, but set in a new and fascinating arena: cyberspace. Novelty, however, is by definition fleeting. Time passed and these kinds of groups became increasingly common. Combined with the lack of progress in the investigation, interest gradually stalled and many of the records were destroyed or lost. The group's name was even changed to Storm Cloud, which helped dilute its footprint among both the general public and security experts.
By 2006, no one remembered this group anymore. Fade to black, just like in the movies.
Moonlight Maze anticipated modern cyber espionage: persistent, opaque and geopolitical.
The bear rises again
Continuing with the cinematic analogy, the screen would fade back in displaying '2016' and show Thomas Rid working on his book Rise of the Machines: A Cybernetic History. During his research for the book, he came across statements from investigators in several countries linking Moonlight Maze to another group: Turla, later known as Venomous Bear, for which evidence has existed since 2006.
A team of researchers became aware of this and began the difficult search for the legend that was Moonlight Maze, attempting to connect Turla's TTPs and tools with the long-disappeared group. Eventually, they obtained Moonlight Maze data from the administrator of a system that had been compromised years earlier, who had kept the data on an old laptop all those years.
Logs, binaries, scripts... everything needed to prove the theory was correct. The legend was still alive.
From 1999 onwards, the group gradually modified its tools and redirected its attacks towards different targets, blending into a vibrant ecosystem populated by many other APT Groups. No one can deny that the discovery was worthy of a film.
Moonlight Maze re-emerges through Turla: some campaigns do not disappear, they evolve.
Kazuar, the mirror of the soul
What does this story have to do with Kazuar? Kazuar is a piece of malware detected in 2017 (although part of its code dates back to 2005) associated with Venomous Bear. It was a .NET Trojan available for the major platforms: Windows, Linux and macOS. The researchers who discovered it believe it replaced Uroburos, a modular rootkit composed of two files (a driver and an encrypted file system) that was considered particularly dangerous due to its stealth capabilities, despite the fact that researchers at G Data managed to detect and analyse it in depth.
Returning to Kazuar, it was created as a backdoor and featured a noteworthy capability. Unlike other backdoors, which communicate with a predefined C&C server embedded in their code to receive instructions, Kazuar could also deploy a small web server with an API that allowed operators to establish remote connections directly. This effectively reversed the traditional communication flow of these Trojans, giving attackers the ability to operate against their victims whenever they wished, avoiding controls designed to monitor outbound connections (typically the primary method used to detect backdoors) and enabling attackers to move their infrastructure easily. If their C&C servers were discovered, they would not lose access to their victims.
Kazuar achieved considerable success against European governmental and research institutions, compromising thousands of systems across more than 100 countries. It also struck hard against Defence sector targets throughout Eastern Europe, including Ukraine. In these operations, the attackers focused on Exchange servers using an entry vector as 'simple' as a phishing email containing an attached XLSM file (Excel with macros). From there, it deployed its full payload through PowerShell, impersonating the Firefox browser updater and installing Kazuar among other malicious components.
Kazuar reveals an actor that is more adaptable, stealthier and more resilient.
Why is Kazuar the mirror of the soul of Moonlight Maze-Turla-Venomous Bear? And why have we been speaking about Kazuar in the past tense? Because after operating in essentially the same way for almost a decade, it has suddenly transformed (or rather, been transformed by the Venomous Bear) into a P2P botnet. The Microsoft team that analysed this variant found that Kazuar now uses three distinct modules:
- Kernel: responsible for central coordination and communications. Notably, the network appoints a leader within the same environment or network segment (meaning the process is internal and autonomous). The leader maintains external communications and relays information to the other infected machines and vice versa, thereby minimising inbound and outbound activity across compromised systems.
It is worth taking a closer look at how the leader election process works. Each infected system checks the following conditions:
- There is no leader on the network.
- The leader sends an internal message indicating that it is about to shut down or log off.
- If the running leader election process fails, a new election process is launched.
If any of these conditions are met, the leader election process begins. This process is carried out through Mailslot, and the leader is selected according to the amount of time the kernel module has been running divided by the number of interruptions to its operation (restarts, shutdowns, etc.).
The system with the highest score declares itself the leader and requests that the others switch to Silence mode.
Overview of the kernel leadership election process showing how a single active leader is maintained while the remaining kernel instances switch to "silence" mode. Source: Microsoft
- Bridge: acts as a communications proxy. It relays traffic between the leader kernel and external infrastructure. This means only the Bridge module performs this task. Internal communication is based on IPC (inter-process communication), making it far less conspicuous.
- Worker: the spy component. It records keystrokes, screenshots, files and file system metadata, email data, including content downloaded from Outlook, and more. Microsoft's team identified 40 different types of information collected by the worker.
High-level module messaging map showing how the leader coordinates worker tasks and uses the bridge module for external communications. Source: Microsoft
Like the APT Group that created and later modified it, Kazuar is versatile and capable of evolving. It has also inherited the ability to remain hidden, with capabilities that enable it to bypass Windows AMSI (Anti-Malware Scan Interface), ETW (Event Tracing for Windows) and WLDP (Windows Lockdown Policy).
Given this latest change in its toolkit, and the success it has achieved over so many years, it seems unlikely that Moonlight Maze will ever truly disappear.
■ Microsoft's article Kazuar: Anatomy of a nation-state botnet provides further information about this threat, as well as mitigation measures and indicators of compromise.
Photo by Daoud Abismail / Unsplash.
