Command Evade Turla Kazuar Loader

The Turla group, a long‑standing threat actor with a history of sophisticated operations, has recently deployed a new loader that demonstrates advanced evasion techniques. The loader, which we refer to as the Turla Kazuar v3 Loader, is a multi‑stage infection chain that leverages legitimate Windows components, COM integration, and memory‑resident execution to deliver a backdoor with minimal footprint and high stealth. This report provides a comprehensive analysis of the loader’s architecture, its evasion methods, and recommendations for detection and mitigation.

Infection Chain Overview

The loader’s lifecycle begins with a seemingly innocuous VBScript file that drops a legitimate Hewlett‑Packard printer driver installer and a native loader DLL into the victim’s local application data folder. The script then executes the installer, which in turn runs the native loader, hpbprndiLOC.dll. The native component is responsible for performing security bypasses, including AMSI and ETW blinding, and for orchestrating the transition to a COM‑visible .NET assembly. This assembly acts as a bridge that decrypts and loads three modular .NET backdoor components – KERNEL, WORKER, and BRIDGE – directly from memory.

Stage One: VBScript Dropper

The VBScript file, named 8RWRLT.vbs, is the initial foothold. It creates a nested directory under %LOCALAPPDATA% that mimics a legitimate HP printer driver installation path. Within this directory, the script drops the HP driver installer (hpbprndi.exe) and the encrypted payloads jayb.dadk, kgjlj.sil, and pkrfsu.ldy. After installation, the script launches the installer which executes the native loader DLL. The script also writes a persistence registry key under HKCU\Software\Classes\CLSID and sets a Run key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure the loader re‑executes on reboot.

Stage Two: Native Loader and Security Bypass

The native loader, hpbprndiLOC.dll, is a 32‑bit DLL that performs a series of low‑level bypasses. It uses vectored exception handling and the NtContinue API to temporarily disable AMSI and ETW monitoring, effectively blinding local security telemetry. The loader also employs a sophisticated control‑flow redirection technique that exploits the MFC satellite DLL loading mechanism. By registering itself as a side‑loaded component, the loader hands control to a COM‑visible .NET assembly without invoking standard file system APIs, thereby evading many endpoint detection systems.

Stage Three: COM‑Visible .NET Bridge

The COM‑visible .NET assembly, jtjdypzmb.yqg, is a small wrapper that bridges the unmanaged loader to the managed Kazuar payloads. The assembly is registered under HKCU and HKLM CLSID keys, pointing to mscoree.dll with an InprocServer32 surrogate. When CoCreateInstance is called, Windows spawns a dllhost surrogate that loads the .NET runtime and the assembly into a sandboxed AppDomain. The assembly’s public method, EeseOleAscaUtcent, receives the encrypted payload bytes and a cryptographic seed, then performs AES‑CBC decryption followed by raw inflation. The resulting .NET executables – KERNEL, WORKER, and BRIDGE – are then loaded into memory and executed via dllhost, attributing the malicious activity to the surrogate process.

Stage Four: Kazuar v3 Backdoor Modules

The three Kazuar modules are modular .NET executables that perform distinct functions. The KERNEL module orchestrates keylogging, credential theft, and configuration management. The WORKER module monitors system defenses and maintains persistence, while the BRIDGE module handles outbound communication. The BRIDGE module uses compromised WordPress plugin URLs to exfiltrate data from the local data directory, which is stored under C:\ProgramData\WindowsGraphicalDevice. The agent label AGN‑RR‑01 is embedded in each module, indicating the backdoor’s classification.

Detection and Mitigation

Detection of the Turla loader requires a multi‑layered approach. First, monitor for the creation of the HP printer driver directory and the presence of the hpbprndiLOC.dll file. Second, watch for anomalous COM registrations under HKCU and HKLM CLSID keys that reference mscoree.dll surrogates. Third, implement endpoint detection that flags the use of vectored exception handlers and the NtContinue API, which are strong indicators of AMSI/ETW bypass attempts. Finally, block outbound traffic to the known C2 WordPress plugin domains and enforce strict application whitelisting for .NET assemblies.

Conclusion

The Turla Kazuar v3 Loader showcases a highly sophisticated infection chain that blends legitimate components with advanced evasion techniques. By leveraging COM, MFC sideloading, and in‑memory decryption, the loader achieves a high level of stealth and resilience. Organizations should adopt comprehensive detection strategies that include monitoring for anomalous COM activity, enforcing strict application whitelisting, and maintaining robust endpoint telemetry to counter this evolving threat.