The new Tomiris backdoor likely developed by the SolarWinds hackers


Kaspersky security researchers have discovered a new backdoor likely developed by hacking group Nobelium behind last year’s SolarWinds supply chain attack.

This follows another report released by Microsoft two days ago detailing FoggyWeb, a “passive and highly targeted” backdoor developed and used by the same group to remotely exfiltrate sensitive information from compromised AD FS servers.

The new malware discovered by Kaspersky, dubbed Tomiris, was first spotted in June although the first samples were deployed in the wild in February 2021, a month before the “sophisticated second stage backdoor” Sunshuttle was discovered by FireEye and linked to Nobelium.

Tomiris was discovered while investigating a series of DNS hijacking attacks targeting several government zones in a CIS member state between December 2020 and January 2021, which allowed malicious actors to redirect traffic from government mail servers to machines under their control.

Their victims were redirected to webmail login pages that helped attackers steal their email credentials and in some cases tricked them into installing a malware update that instead downloaded the Tomiris backdoor. hitherto unknown.

Malicious webmail login page used to deliver Tomiris
Image: Kaspersky

Links to Sunshuttle malware manufactured by Nobelium

Once deployed on a system, Tomiris will repeatedly query a command and control server for other malicious payloads to run on the compromised device, allowing its operators to gain a foothold on the victim’s network.

Another variant can collect and exfiltrate documents outside compromised systems, automatically downloading recent files corresponding to the extensions of interest including .doc, .docx, .pdf, .rar, etc.

Kaspersky found many similarities between the two backdoors (e.g. both developed in GB, persistence through scheduled tasks, same coding scheme for C2 communications, automated sleep triggers to reduce network noise).

They also spotted the Kazuar backdoor which shares functionality with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris.

Despite this, researchers have not established a conclusive link between the new backdoor and Russia-backed Nobelium state hackers due to the possibility of a false flag attack designed to mislead researchers. malware.

“While it is possible that other APTs may be aware of the existence of this tool at this time, we believe it is unlikely that they will attempt to imitate it even before it does. be disclosed, ”Kaspersky added.

“A much more likely (but unconfirmed) hypothesis is that the authors of Sunshuttle began developing Tomiris around December 2020 when Operation SolarWinds was discovered, replacing their burnt tool set.”

Tomiris Sunshuttle Kazuar connection
Image: Kapersky

Who is Nobelium?

Nobelium, the hacking group that carried out the SolarWinds supply chain attack that led to the compromise of several US federal agencies, is the hacking division of the Russian Foreign Intelligence Service (SVR), also tracked under the name of APT29, The Dukes or Cozy Bear. .

In April 2021, the United States government formally accused the SVR division of coordinating SolarWinds’ “large-scale cyber espionage campaign”.

The cybersecurity company Volexity too linked attacks to operators of the same hacking group based on the tactics they used in previous incidents dating back to 2018.

In May, Microsoft researchers revealed four other malware families used by Nobelium in other attacks: a malware downloader called ‘BoomBox’, a shellcode downloader and launcher called ‘VaporRage’, a malicious HTML attachment called ‘EnvyScout’ and a loader named ‘Native Zone.’

In March, they detailed three other strains of Nobelium malware used to maintain persistence on compromised networks: a command and control backdoor dubbed ‘GoldMax’, an HTTP tracker tool tracked as ‘GoldFinder’, a persistence tool and a malware dropper named “Sibot”. ‘


Leave A Reply