Connect with us

Hi, what are you looking for?

HEADLINES

Tomiris backdoor potentially hints at new activity of a threat actor behind the Sunburst attack

The Sunburst security incident hit the headlines in December 2020: The DarkHalo threat actor compromised a widely used enterprise software provider and for a long time used its infrastructure to distribute spyware under the guise of legitimate software updates. 

While investigating a yet unknown advanced persistence threat (APT), Kaspersky researchers came across new malware that contained several important attributes that potentially connect it to DarkHalo – the threat actor behind the Sunburst attack. It is considered one of the most impactful supply chain security incidents of recent years.

The Sunburst security incident hit the headlines in December 2020: The DarkHalo threat actor compromised a widely used enterprise software provider and for a long time used its infrastructure to distribute spyware under the guise of legitimate software updates. 

After the media hype and an extensive hunt by the security community, the actor seemed to go under the radar. After Sunburst, there were no major discoveries of incidents attributable to this actor – it appeared that the DarkHalo APT went offline. However, the results of recent research conducted by the Kaspersky Global Research and Analysis Team shows that this may not be the case. 

In June 2021, more than six months after DarkHalo went dark, Kaspersky researchers found traces of a successful DNS hijacking attack against several government organizations in the same country.

Advertisement. Scroll to continue reading.

DNS hijacking is a type of malicious attack in which a domain name (used to connect the URL address of a website with the IP address of the server where the website is hosted) is modified in a way that reroutes network traffic to an attacker-controlled server. 

In the case that Kaspersky discovered, the targets of the attack were trying to access the web-interface of a corporate email service but were redirected to a fake copy of that web-interface and then tricked into downloading a malicious software update. Following the attackers’ path, Kaspersky researchers retrieved the “update” and discovered it deployed a previously unknown backdoor: Tomiris.   

Further analysis showed that the main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components. The latter, unfortunately, were not identified during the investigation; however, one other important observation was made: the Tomiris backdoor turned out to be suspiciously similar to Sunshuttle – malware deployed as a consequence of the infamous Sunburst attack. 

The list of similarities consists of, but is not limited to, the following:

  • Just like Sunshuttle, Tomiris was developed in Go programming language 
  • Each backdoor uses a single encryption/obfuscation scheme to encode both configurations and network traffic
  • Both rely on scheduled tasks for persistence, use randomness and sleep delays to hide their activities
  • The general workflow of the two programs, in particular the way features are distributed into functions, look similar enough that Kaspersky analysts suggest they could be indicative of shared development practices
  • English mistakes were found in both Tomiris (’isRunned’) and Sunshuttle (’EXECED’ instead of ’executed’) strings, which points to both malicious programs being created by people that do not speak English natively – it is widely acknowledged that the DarkHalo actor is Russian-speaking
  • Finally, the Tomiris backdoor was discovered in networks where other machines were infected with Kazuar – the backdoor which is known for its code overlaps with the Sunburst backdoor 

“None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices,” says Pierre Delcher, security researcher at Kaspersky.

“If our guess that Tomiris and Sunshuttle are connected is correct, it would shed new light on the way threat actors rebuild capacities after being caught. We would like to encourage the threat intelligence community to reproduce this research and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris,” adds Ivan Kwiatkowski, security researcher at Kaspersky. 

Advertisement. Scroll to continue reading.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

In rigorous evaluations conducted by prestigious cybersecurity testing organizations, Kaspersky Plus (starting in Q4 2024, Kaspersky Premium), Kaspersky Endpoint Security for Business (KESB), and...

HEADLINES

"Given the Philippines' high exposure to cyber threats, it's important for both individuals and businesses to stay vigilant," said Adrian Hia, Managing Director for...

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

White Papers

The survey found that CXO’s feel less prepared than their global peers. Less than half or 48% in APAC said they felt completely prepared...

Advertisement