Kaspersky Lab specialists have described the new Tomiris backdoor, which is already being used by cybercriminals in targeted attacks. In a number of ways, it is similar to the Sunshuttle (aka GoldMax) malware used by the DarkHalo group (aka Nobelium, APT 29, Cozy Bear, or The Dukes) in a sensational attack on SolarWinds customers.
Tomiris was found during the investigation of a series of DNS interception attacks targeting several government zones in the CIS countries (from December 2020 to January 2021), which allowed attackers to redirect traffic from government mail servers to machines under their control.
The main task of the Tomiris backdoor is to deliver additional malware to the victim’s machine. It constantly polls the attackers’ C&C server, downloads executable files from it, and runs it with the specified arguments. In addition, experts found a variant of Tomiris that could steal files. The malware selected newly created files with certain extensions (.doc, .docx, .pdf, .rar, and so on) and then uploaded them to the C&C server.
It is reported that the authors of the backdoor have provided it with a number of functions, the purpose of which is to deceive security technologies and confuse the investigation of the incident. So, getting on the computer, it does nothing for nine minutes – probably to trick the detection mechanisms based on the sandbox. In addition, the exact C&C address is not encoded inside Tomiris – it receives the correct URL and port from the intermediate link.
To deliver the backdoor to the victim’s machine, cybercriminals use DNS redirection tactics. In some way (probably, having received credentials from the control panel on the domain name registrar’s website), they redirect traffic from the mail servers of the attacked organizations to their own resources. As a result, clients are taken to a site that mimics the original login page and the web interface of the mail service.
Of course, the credentials entered on such a page immediately fall into the hands of intruders. However, sometimes the site is also notified about the need to install a security update, without which it is allegedly impossible to continue working with the service. The Tomiris backdoor loader was also downloaded as such an “update”.
The authors of the aforementioned Sunshuttle malware are believed to have started developing Tomiris around December 2020, when an attack on SolarWinds’ clients was discovered and hackers needed a replacement for the flashed toolkit.
Let me remind you that this week Microsoft specialists also discovered a new malware from this group. The FoggyWeb malware is used to deploy additional payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers.
Catch up on more stories here
Follow us on Facebook here