Hackers behind the SolarWinds cyberattack have been linked to a new Tomiris malware

The Tomiris malware

The Nobelium threat actor that was behind last year’s SolarWinds supply chain attack has likely created a backdoor that hasn’t been documented before, according to a recent research. The new threat has been named Tomiris and is a yet another addition to the threat actor’s ever-growing collection of hacking tools (SolarStorm, Dark Halo, etc.) and methods.

Tomiris Malware

From the details that have been revealed, Tomiris resembles to another second-stage malware employed in the attack against Orion’s platfrom known as SUNSHUTTLE (or GoldMax).

Discovered by Kasperksy in June this year, the Tomiris backdoor is written in Go and is deployed via a successful DNS hijacking attack, in which targets trying to access a corporate email service login page are diverted to a fraudulent domain with spoofed login pages designed to trick visitors into downloading malware disguised as a security update.

Several government institutions in an undisclosed CIS member state are thought to have been targeted by this backdoor attack.

This backdoor’s main goal, according to the researchers, is to gain a foothold in the targeted system and download additional malicious components. The professionals have also discovered several similarities, such as the encryption scheme and similar spelling mistakes, that point to shared development practices or common authorship.

This isn’t the first time that the threat actor’s tools have been found to share similarities. According to another study from this year, a number of shared features have been found between Sunburst and a Sunburst a Turla-linked .NET backdoor known as Kazuar. The fact that Tomiris has been found on networks where Kazuar had already infected other computers raises the possibility that the three different malware families are connected.

But the researchers also pointed out that it might be a false flag attack, in which threat actors intentionally imitate the methods and procedures used by a recognized adversary in an effort to confuse attribution.

A few days ago, Microsoft revealed another backdoor called FoggyWeb used by the Nobelium gang to distribute extra payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers. The threat was passive and highly targeted, yet not detected by the company’s security systems.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment