RSA Admin

New Kazy Variant: Kazy Forces

Blog Post created by RSA Admin Employee on Mar 28, 2014

RSA FirstWatch has detected a new variant of Kazy that uses a wrapped JSON file for its command and control.  We are dubbing this variant "Kazy Forces" since its known C2 domains are Russian Hosted servers that begin "Forces."  VirusTotal has a summary of the infecting malware located here.  Here is what this variant looks like in RSA's Security Analytics.

 

81128

81138

81139

Here is what the session looks like:

 

81140

A simple application rule can be implemented to detect this variant on your network, regardless of any changing domain names.  That rule is:

 

filename='get_json' && query exists

 

The user-agent strings presented above are also strong indicators of compromise.  Each of the Command and Control domains have been added to the RSA Live Feeds, so customers will be capable of detecting these malicious hosts.  A PCAP sample of this malware in action is attached for review and testing purposes.

 

Good Luck and Happy Hunting!

Attachments

Outcomes