Kaspersky security researchers have unearthed a new backdoor likely designed by the Nobelium advanced persistent threat (APT) behind last year’s SolarWinds supply chain attack.
The new malware, dubbed Tomiris, was first identified in June 2021 from samples dating back to February, a month before the “sophisticated second stage backdoor” Sunshuttle was spotted by FireEye and linked to Nobelium. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual.
“While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT’s networks to perfect their attack and make sure that their tampering of the build chain wouldn’t cause any adverse effects,” Kaspersky researchers stated.
Moscow-headquartered firm Kaspersky identified Tomiris while examining a series of DNS hijacking attacks mounted against multiple government organizations in a CIS member state between December 2020 and January 2021, which allowed threat actors to redirect traffic from government mail servers to devices under their possession.
Their victims were redirected to webmail login pages that helped hackers steal their email credentials and, in some cases, tricked them into installing a malware update that instead downloaded the Tomiris backdoor.
“During these times, the authoritative DNS servers for the above zones were switched to attacker-controlled resolvers. Most of these hijackings were relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We don’t know how the threat author was able to achieve this, but we assume that he somehow obtained credentials from the Registrar’s control panel used by the victims,” researchers added.
Multiple similarities between Tomiris and Sunshuttle malware
Researchers discovered multiple similarities between the Sunshuttle and Tomiris backdoors (e.g., both developed in GB, persistence through scheduled tasks, the same coding scheme for C2 communications, automated sleep triggers to reduce network noise). They also spotted the Kazuar backdoor, a .NET-based backdoor linked to the Turla group which shares multiple features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris.
Earlier this year in March 2021, Microsoft and FireEye describe Sunshuttle as a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to fetch and execute arbitrary commands on the exploited device as well as exfiltrate files from the system to the server.
Despite this, researchers have not established a conclusive link between the new backdoor and Russia-backed Nobelium state hackers due to the possibility of a false flag attack designed to mislead researchers.
The revelation comes days after Microsoft released the details of a passive and highly targeted implant dubbed ‘FoggyWeb’ that was employed by the Nobelium hacking group to deploy additional payloads and steal sensitive information from Active Directory Federation Services (ADFS) servers.