First reported in 2017, a similar trojan to Sunburst called Kazuar was already used in global cyber-espionage attacks.

On December 13, 2020, FireEye, Microsoft and SolarWinds announced the discovery of a large, sophisticated supply chain attack that deployed a new, previously unknown malware “Sunburst” used against SolarWinds’ Orion IT customers.

Now, cybersecurity experts from one firm have found various specific code similarities between Sunburst and known versions of Kazuar backdoors—the type of malware that provides remote access to a victim’s machine.

The new findings by Kaspersky provide insights that can help the researchers move forward in the investigation of the attack.

Code similarities linked

While studying the Sunburst backdoor the cyberexperts discovered a number of features that overlapped with a previously identified backdoor called Kazuar, written using the .NET framework first reported by Palo Alto in 2017 and used in cyberespionage attacks across the globe.

Multiple similarities in code suggested a connection between Kazuar and Sunburst, albeit of an undetermined nature. The overlapped features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.

These code fragments are not 100% identical, suggesting Kazuar and Sunburst may be related, though the nature of this relation is still not entirely clear. 

After the Sunburst malware was first deployed, in February 2020, Kazuar continued to evolve and later 2020 variants are even more similar in some respect to Sunburst. 

Overall, during the years of Kazuar evolution, the experts observed a continuous development, in which significant features that bore resemblance to Sunburst, were added. While these similarities between Kazuar and Sunburst were notable, there could be many reasons for their existence, including Sunburst being developed by the same group as Kazuar; Sunburst developers using Kazuar as an inspiration point; the move of one of Kazuar developers to the Sunburst team; or both groups behind Sunburst and Kazuar having obtained their malware from the same source.

According to Costin Raiu, Director of the Global Research and Analysis Team, Kaspersky: “The identified connection does not give away who was behind the SolarWinds attack. However, it provides more insights that can help the researchers move forward in this investigation.”

Raiu believes other researchers around the world should investigate these similarities and attempt to discover more facts about Kazuar and the origin of the SolarWinds infiltration via malignant software updates. “Judging from past experience—for instance, looking back to the WannaCry attack in the early days—there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic is crucial for connecting the dots.”