Posted on Leave a comment

New Malware Linked To Solarwinds Infecting Victims In The Wild

According to Moscow headquartered firm Kaspersky, the new malware is called as ‘Tomiris’ and referred its similarities to another stage of malware using Sunshuttle. It targeted the IT management software provider’s Orion Platform , UNC2452, Solarstorm, Stellar Collections. Dark Halo and Iron Ritual are some of the names for Nobellium.

On Wednesday, cybersecurity authors reported a previously unknown backdoor that has been likely designed and developed by the Nobelium (APT) responsible for last year’s SolarWinds supply chain attack adding to the threat actor’s ever-expanding arsenal of hacking tools.


Kaspersky researchers reported that Evidence Suggests that Dark Halo spent six months inside Orion IT’s networks perfecting their attack and ensuring that their tampering with the build chain had
no negative consequences.” The researchers discovered a variety of characteristics ranging from
the technique to identify spelling mistakes that are collectively point towards the possibility of same authorship or shared development procedures.

Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems. It establishes persistence with scheduled tasks by creating and running a batch file” reads the blogpost.

Earlier this year, Kaspersky’s research of the virus reported that , This isn’t the first time that
overlaps between the threat actor’s various tools have been uncovered. Sunburst and Kazuar, a.NET-based backdoor attributed to the Turla group, share a lot of traits. Surprisingly , The cybersecurity firm said that it discovered Tomiris
in networks where other devices had been infected with Kazuar adding the possibilities that the three malware are linked.


In the end, a number of clues hint at links between Sunburst, Kazuar and Tomiris, but it feel like we’re still missing one piece of evidence that would allow us to attribute them all to a single threat actor. We would like to conclude this segment by addressing the possibility of a false flag attack: it could be argued that due to the high-profile nature of Sunshuttle, other threat actors could have purposefully tried to reproduce its design in order to mislead analysts. ” reads the blogpost.

Indicators of compromise

Tomiris Downloader
109106feea31a3a6f534c7d923f2d9f7
7f8593f741e29a2a2a61e947694445f438b33380
8900cf88a91fa4fbe871385c8747c7097537f1b5f4a003418d84c01dc383dd75
fd59dd7bb54210a99c1ed677bbfc03a8
292c3602eb0213c9a0123fdaae522830de3fad95
c9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4

Tomiris
6b567779bbc95b9e151c6a6132606dfe
a0de69ab52dc997ff19a18b7a6827e2beeac63bc
80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b

Tomiris staging server
51.195.68[.]217

Tomiris signalization server
update.softhouse[.]store

Tomiris C2
185.193.127[.]92
185.193.126[.]172

Tomiris build path
C:/Projects/go/src/Tomiris/main.go

Source: Kaspersky.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply