According to Moscow headquartered firm Kaspersky, the new malware is called as ‘Tomiris’ and referred its similarities to another stage of malware using Sunshuttle. It targeted the IT management software provider’s Orion Platform , UNC2452, Solarstorm, Stellar Collections. Dark Halo and Iron Ritual are some of the names for Nobellium.

On Wednesday, cybersecurity authors reported a previously unknown backdoor that has been likely designed and developed by the Nobelium (APT) responsible for last year’s SolarWinds supply chain attack adding to the threat actor’s ever-expanding arsenal of hacking tools.

Kaspersky researchers reported that Evidence Suggests that Dark Halo spent six months inside Orion IT’s networks perfecting their attack and ensuring that their tampering with the build chain had
no negative consequences.” The researchers discovered a variety of characteristics ranging from
the technique to identify spelling mistakes that are collectively point towards the possibility of same authorship or shared development procedures.

Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems. It establishes persistence with scheduled tasks by creating and running a batch file” reads the blogpost.

Earlier this year, Kaspersky’s research of the virus reported that , This isn’t the first time that
overlaps between the threat actor’s various tools have been uncovered. Sunburst and Kazuar, a.NET-based backdoor attributed to the Turla group, share a lot of traits. Surprisingly , The cybersecurity firm said that it discovered Tomiris
in networks where other devices had been infected with Kazuar adding the possibilities that the three malware are linked.

In the end, a number of clues hint at links between Sunburst, Kazuar and Tomiris, but it feel like we’re still missing one piece of evidence that would allow us to attribute them all to a single threat actor. We would like to conclude this segment by addressing the possibility of a false flag attack: it could be argued that due to the high-profile nature of Sunshuttle, other threat actors could have purposefully tried to reproduce its design in order to mislead analysts. ” reads the blogpost.

Indicators of compromise

Tomiris Downloader


Tomiris staging server

Tomiris signalization server

Tomiris C2

Tomiris build path

Source: Kaspersky.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s