cyber securityResearchers on Wednesday disclosed a previously undocumented backdoor that was likely designed and developed by the Nobelium Advanced Persistent Threat (APT) that powered last year's SolarWinds supply chain attack, joining an expanding list of threat actors.hackerTool Library.
Moscow-based Kaspersky, which codenamed the malware "Tomiris," said it was similar to another second-stage malware used during the campaign, SUNSHUTTLE (aka GoldMax), which targeted IT management software provider Orion platform. Nobelium is also known as UNC2452, SolarStorm, StellarParticle, Dark Halo and Iron Ritual.
"While supply chain attacks have become a documented attack vector exploited by many APT actors, this particular campaign stands out due to the extreme caution of the attackers and the high profile of the victims," Kaspersky researchers said. "To date Evidence gathered so far indicates that Dark Halo spent six months within Orion IT's network perfecting their attack and ensuring that their tampering with the build chain did not have any adverse effects."
Microsoft detailed SUNSHUTTLE in March 2021, describing the virus as a Golang-based malware that acts as a command and control backdoor, establishing a secure connection to an attacker-controlled server to obtain and execute on infected machines Arbitrary commands such as and exfiltrate files from the system to the server.
The new Tomiris backdoor discovered by Kaspersky in June from a February sample was also written in Go and deployed via a successful DNS hijacking attack, during which targets trying to access the corporate email service's login page were redirected A similar interface was set up on the fraudulent domain, designed to trick visitors into downloading malware under the guise of a security update.
The attacks are believed to have been launched against several government organizations in an unnamed Commonwealth of Independent States member state.
"The main purpose of the backdoor is to establish a foothold in the compromised system and download additional malicious components," the researchers said, adding that they also found numerous similarities, ranging from encryption schemes to identical spelling errors, collectively suggesting "co-authorship or Possibilities for Sharing Development Practices”.
This is not the first time that overlap has been found between different tools used by threat actors. Earlier this year, Kaspersky's analysis of Sunburst revealed many shared features between the malware and Kazuar, the Turla Group's .NET-based backdoor. Interestingly, the cybersecurity company said it detected Tomiris in other networks where machines were infected with Kazuar, raising the possibility that the three malware families may be related to each other.
That being said, the researchers noted that this could also be a case of a false flag attack, in which a threat actor deliberately replicates tactics and techniques employed by known adversaries in an attempt to mislead attribution.
A few days ago, Microsoft deployed a passive and highly targeted implant called FoggyWeb, which was used by the Nobelium group to deliver additional payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers. .
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/new-discovery-of-tomiris-backdoor-linked-to-hackers-behind-solarwinds-cyber-attack .html