RSA FirstWatch has detected a new variant of Kazy that uses a wrapped JSON file for its command and control. We are dubbing this variant "Kazy Forces" since its known C2 domains are Russian Hosted servers that begin "Forces." VirusTotal has a summary of the infecting malware located here. Here is what this variant looks like in RSA's Security Analytics.
Here is what the session looks like:
A simple application rule can be implemented to detect this variant on your network, regardless of any changing domain names. That rule is:
filename='get_json' && query exists
The user-agent strings presented above are also strong indicators of compromise. Each of the Command and Control domains have been added to the RSA Live Feeds, so customers will be capable of detecting these malicious hosts. A PCAP sample of this malware in action is attached for review and testing purposes.
Good Luck and Happy Hunting!