Shades of SolarWinds Attack Malware Found in New Tomiris Backdoor

  /     /     /  
Publicated : 23/11/2024   Category : security


Shades of SolarWinds Attack Malware Found in New Tomiris Backdoor


Malware contains similarities that suggest a possible link to malware that Russias DarkHalo group used in its massive supply chain attack, researchers say.



Advanced persistent threat (APT) actors rarely simply stop operations when their malware and techniques get exposed. Many just regroup, refresh their toolkits, and resume operations when the heat has died down a bit.
Such appears to be the case — at least circumstantially — with DarkHalo, the Russian-government affiliated threat actor behind the supply attack on SolarWinds that rattled the industry in a manner unlike any malicious campaign in recent memory.
Researchers at Kaspersky this week said they had detected a new backdoor they have dubbed Tomiris, which has multiple attributes that suggest a link to Sunshuttle, a second-stage malware that DarkHalo used in its SolarWinds campaign. This includes the programming language used to Tomiris, its obfuscation and persistence mechanisms, and the general workflow of the two malware samples.
Kaspersky discovered the Tomiris backdoor in June while investigating successful DNS hijacking incidents that impacted government agencies of a country that previously belonged to the Soviet Union and is now a member of the nine-country Commonwealth of Independent States. The security vendor described the DNS hijacking incidents as happening in brief periods in December 2020 and January 2021. In the attacks, the threat actor redirected traffic from the impacted government email servers to servers they controlled. Credential theft appears to have been the motive for the campaign, Kaspersky said in a
report
this week.
While the similarities between Tomiris and Sunshuttle alone are not enough to conclusively link the former to DarkHalo, they do suggest the two malware samples were developed by the same author or had shared development practices, according to Kaspersky. 
If our hypothesis proves true, it would show that DarkHalo is able to rebuild its capabilities relatively quickly after having been caught in the act, says Ivan Kwiatkowski, senior security researcher at Kaspersky. It would also solidify our perception of them as sophisticated and careful threat actors who are able to set in motion complex attack scenarios, such as supply chain attacks or DNS hijacking.
DarkHalo, also tracked as Nobelium, UNC2452, and StellarParticle, is a threat group that several security vendors and others — including the
US government
 — have linked to Russias Foreign Intelligence Service, SVR. The group is responsible for breaking into SolarWinds software development environment and embedding a Trojan in signed updates of the companys Orion network management technology. Some 18,000 organizations received the Trojanized updates, of which less than 100 are believed to have been targeted for subsequent attacks and data theft.
SolarWinds investigation of the breach — after FireEye notified the company of it in December 2020 — showed DarkHalo actors had begun probing its networks as
early as 2019
and subsequently gained access to its build environment. They used the access to embed a Trojan called Sunburst in the Orion product updates that were distributed to 18,000 organizations. The attackers later used Sunburst to download additional malware on systems belonging to the 100 or so organizations that were the campaigns main targets. Targets included US federal government agencies, security vendors, and large corporations.
Sunshuttle — the malware which bears a resemblance to Tomiris — was one of the tools DarkHalo actors dropped as part of this second-phase of its campaign. The malware, written in GoLang, gave the threat actors a way to communicate with compromised systems and to remotely execute malicious commands, such as file uploads and downloads. FireEye
Mandiant
discovered the DarkHalo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been poisoned.
Malware Similarities
According to Kaspersky, the new Tomiris malware it recently detected is coded in the Go programming language, just like Sunshuttle. Like its apparent predecessor, Tomiris uses a single, common obfuscation method to encode both configurations and network traffic. Both malware families use similar tactics, such as sleep delays for persistence, and have similar features built into their functions. 
Misspellings in both Tomiris and Sunshuttle code suggest both malware tools were developed by a team who did not speak English natively. The researchers also discovered Tomiris on networks where machines had been infected with
Kazuar
, a malware tool associated with Russian APT group Turla, which has code overlaps with DarkHalos Sunburst.
The researchers made it very clear that the similarities suggest only a tenuous link between Tomiris and DarkHalo. But if the two are indeed linked, it shows the DarkHalo group, which vanished without a trace after the SolarWinds breach was discovered, has resurfaced. To conclusively make that link, Kaspersky would need additional information, Kwiatkowski says.
Ideally, we would need to find evidence that one of the families was used to deploy malware belonging to one of the other two, he says. Barring this, if other members of the community confirmed our opinion about the similarities between Sunshuttle and Tomiris, it would increase our overall confidence.
Kaspersky has shared its research with victims of the DNS hijacking attacks and customers of its threat intelligence service. The company continues to track Tomiris activity but has reached the point where all of the data available to it has been analyzed, Kwiatkowski says. He invited the broader security community to replicate Kasperskys findings to either confirm or disprove the link between Tomiris and DarkHalo.
Tomiris and its link to DarkHalo, if correct, is another reminder for enterprise organizations and government entities of just how determined their cyber adversaries can be, Kwiatkowski notes. 
It shows that perimeter defense is not enough and that steps should be taken to try and detect attackers while they are inside the network, he says.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Shades of SolarWinds Attack Malware Found in New Tomiris Backdoor