According to Moscow headquartered firm Kaspersky, the new malware is called as ‘Tomiris’ and referred its similarities to another stage of malware using Sunshuttle. It targeted the IT management software provider’s Orion Platform , UNC2452, Solarstorm, Stellar Collections. Dark Halo and Iron Ritual are some of the names for Nobellium.
On Wednesday, cybersecurity authors reported a previously unknown backdoor that has been likely designed and developed by the Nobelium (APT) responsible for last year’s SolarWinds supply chain attack adding to the threat actor’s ever-expanding arsenal of hacking tools.
Kaspersky researchers reported that Evidence Suggests that Dark Halo spent six months inside Orion IT’s networks perfecting their attack and ensuring that their tampering with the build chain had
no negative consequences.” The researchers discovered a variety of characteristics ranging from
the technique to identify spelling mistakes that are collectively point towards the possibility of same authorship or shared development procedures.
“Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems. It establishes persistence with scheduled tasks by creating and running a batch file” reads the blogpost.
Earlier this year, Kaspersky’s research of the virus reported that , This isn’t the first time that
overlaps between the threat actor’s various tools have been uncovered. Sunburst and Kazuar, a.NET-based backdoor attributed to the Turla group, share a lot of traits. Surprisingly , The cybersecurity firm said that it discovered Tomiris
in networks where other devices had been infected with Kazuar adding the possibilities that the three malware are linked.
“In the end, a number of clues hint at links between Sunburst, Kazuar and Tomiris, but it feel like we’re still missing one piece of evidence that would allow us to attribute them all to a single threat actor. We would like to conclude this segment by addressing the possibility of a false flag attack: it could be argued that due to the high-profile nature of Sunshuttle, other threat actors could have purposefully tried to reproduce its design in order to mislead analysts. ” reads the blogpost.
Indicators of compromise
Tomiris staging server
Tomiris signalization server
Tomiris build path