Detecting a new Kazy variant using RSA Security Analytics

Blog Post created by ahsonbol on Mar 9, 2015

Sometimes, it is really easy to spot the differences between regular and malicious network traffic. In this blog post, we will discuss how to detect a new Kazy based on the traffic originating from a couple of infected virtual machines in RSA FirstWatch Malware Analysis Systems.

The screenshot below shows the HTTP traffic between the bots and their C2 domains:


Using RSA Security Analytics to reconstruct one of those sessions we can see that the User Agent string is missing from the HTTP headers


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

            directory = '/spa0wejk2490234jsdf0rta/' && action = 'put' && filename = '<none>' && client !exists


As of this writing, VirusTotal has a low detection rate of the sample under investigation.

Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.