Tomiris Backdoor Trojan

Infosec researchers have discovered a new backdoor Trojan named Tomiris that might have links to the infamous NOBELIUM APT (Advanced Persistent Threat) group. Last year, NOBELIUM launched a supply-chain attack against the major U.S. IT firm SolarWinds. As part of the operation, the hackers used multiple highly targeted and custom-made malware threats. Tomiris' attribution to NOBELIUM has not been proven conclusively; however, the threat also shares certain similarities with Kazuar, one of the backdoors linked to the NOBELIUM APT. 

Attack Campaign

The threatening operations involving Tomiris affected multiple government entities belonging to one of the CIS member states. Via DNS hijacking, the threat actor was able to redirect traffic from official government mail servers to machines under its control. For visitors without sufficient knowledge, discerning between the fake pages and the original ones could have proven to be extremely difficult, as they were connecting to the familiar URL and arrived at a secure page. Once redirected to the impostor page, the unsuspecting visitors were urged to download a corrupted software update carrying the Tomiris backdoor. 

A Threatening Functionality and Similarities to Sunshuttle/GoldMax

The main functions of Tomiris concern establishing its presence on the compromised system and then delivering a next-stage payload of a yet unidentified malware threat. While analyzing the behavior and underlying code of Tomiris, the researchers began noticing a lot of similarities with the second-stage malware Sunshuttle that NOBELIUM used in the SolarWinds attack. These include both threats being written in the Go programming language, using single encryption/obfuscation methods, establishing persistence via scheduled tasks, and using sleep delays to hide their intrusive activities. In addition, the two threats also resemble each other in the way their general action flow is structured.