This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New Kazy Variant: Kazy Forces

RSAAdmin
Beginner
Beginner
‎2014-03-28 12:31 PM

RSA FirstWatch has detected a new variant of Kazy that uses a wrapped JSON file for its command and control.  We are dubbing this variant "Kazy Forces" since its known C2 domains are Russian Hosted servers that begin "Forces."  VirusTotal has a summary of the infecting malware located here.  Here is what this variant looks like in RSA's Security Analytics.

 

kazy1.JPG.jpg

kazy2.JPG.jpg

kazy3.JPG.jpg

Here is what the session looks like:

 

sessionkazy.JPG.jpg

A simple application rule can be implemented to detect this variant on your network, regardless of any changing domain names.  That rule is:

 

filename='get_json' && query exists

 

The user-agent strings presented above are also strong indicators of compromise.  Each of the Command and Control domains have been added to the RSA Live Feeds, so customers will be capable of detecting these malicious hosts.  A PCAP sample of this malware in action is attached for review and testing purposes.

 

Good Luck and Happy Hunting!

kazyForces.pcap
kazyForces.pcap
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.