Tomiris backdoor: Possibly new activity by the threat actor behind the sunburst attack. While investigating an as yet unknown Advanced Persistence Threat (APT), Kaspersky researchers identified a new malware that has several important attributes that potentially indicate a connection to the threat actor DarkHalo, which is responsible for the sunburst attack. This is one of the most impactful supply chain attacks in recent years.
The Sunburst security incident hit the headlines in December 2020: threat actor DarkHalo compromised a well-known enterprise software provider and used its infrastructure to spread spyware under the guise of legitimate software updates. After that, the actor seemed to have disappeared. Because after Sunburst no more major incidents were discovered that could be attributed to this actor. However, the results of the latest research by the Global Research and Analysis Team (GReAT) at Kaspersky show that this is not the case.
DNS hijacking attack against government organizations
In June 2021 - more than six months after DarkHalo went underground - Kaspersky researchers identified traces of a successful DNS hijacking attack against multiple government organizations in the same country. DNS hijacking is an attack in which a domain name - used to associate the URL address of a website with the IP address of the server hosting it - is modified in such a way that network traffic is redirected to a server controlled by the attacker. In the case discovered by Kaspersky, the targets of the cyberattack tried to access the web interface of one of the company's email services, but were redirected to a fake copy of it and, as a result, downloaded a malicious software update. Kaspersky researchers followed the attackers' path and found that this 'update' contained the previously unknown 'Tomiris' backdoor.
Backdoor brings in further malware reinforcement
Further analysis revealed that the main purpose of the backdoor was to gain a foothold in the compromised system and to download additional malicious components, which however could not be identified during the investigation. However, the Tomiris backdoor is very similar to Sunshutttle - the malware that was used in the Sunburst attack:
- Just like Sunshuttle, Tomiris was developed in the Go programming language.
- Both backdoors use a single encryption / obfuscation scheme to encode both configurations and network traffic.
- Both rely on scheduled tasks to hide their activity and use randomness and sleep delays.
- The workflow of both programs, especially the way in which the features are divided into functions, are so similar that the Kaspersky analysts suspect that this could indicate common development practices.
- English bugs were found in both Tomiris (“isRunned”) and Sunshuttle (“EXECED” instead of “executed”). This indicates that both malicious programs were created by people whose native language is not English. It is well known that the DarkHalo actor speaks Russian.
- The Tomiris backdoor was discovered in networks in which other computers were infected with Kazuar - the very backdoor that is known for its code overlaps [2] with the sunburst backdoor.
"None of these points are, on their own, sufficient to associate Tomiris and Sunshuttle with sufficient security," comments Pierre Delcher, security researcher at Kaspersky. "We recognize that some of these similarities may be coincidental, but still believe that, taken together, they at least raise the possibility of common authorship or common development practices."
Noticeable similarities between the two backdoors
"If our assumption that Tomiris is linked to Sunshuttle is correct, it would shed new light on the way threat actors recalibrate their capacities after being detected," adds Ivan Kwiatkowski, security researcher at Kaspersky. "We encourage the threat intelligence community to reproduce this research and share their thoughts on the similarities we've discovered between Sunshuttle and Tomiris."
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/