The Tomiris malware
The Nobelium threat actor that was behind last year’s SolarWinds supply chain attack has likely created a backdoor that hasn’t been documented before, according to a recent research. The new threat has been named Tomiris and is a yet another addition to the threat actor’s ever-growing collection of hacking tools (SolarStorm, Dark Halo, etc.) and methods.
From the details that have been revealed, Tomiris resembles to another second-stage malware employed in the attack against Orion’s platfrom known as SUNSHUTTLE (or GoldMax).
Discovered by Kasperksy in June this year, the Tomiris backdoor is written in Go and is deployed via a successful DNS hijacking attack, in which targets trying to access a corporate email service login page are diverted to a fraudulent domain with spoofed login pages designed to trick visitors into downloading malware disguised as a security update.
Several government institutions in an undisclosed CIS member state are thought to have been targeted by this backdoor attack.
This backdoor’s main goal, according to the researchers, is to gain a foothold in the targeted system and download additional malicious components. The professionals have also discovered several similarities, such as the encryption scheme and similar spelling mistakes, that point to shared development practices or common authorship.
This isn’t the first time that the threat actor’s tools have been found to share similarities. According to another study from this year, a number of shared features have been found between Sunburst and a Sunburst a Turla-linked .NET backdoor known as Kazuar. The fact that Tomiris has been found on networks where Kazuar had already infected other computers raises the possibility that the three different malware families are connected.
But the researchers also pointed out that it might be a false flag attack, in which threat actors intentionally imitate the methods and procedures used by a recognized adversary in an effort to confuse attribution.
A few days ago, Microsoft revealed another backdoor called FoggyWeb used by the Nobelium gang to distribute extra payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers. The threat was passive and highly targeted, yet not detected by the company’s security systems.