[BreachExchange] Shades of SolarWinds Attack Malware Found in New 'Tomiris' Backdoor

[Sophia Kingsbury]

https://www.darkreading.com/vulnerabilities-threats/shades-of-solarwinds-attack-malware-found-in-new-tomiris-backdoor

Advanced persistent threat (APT) actors rarely simply stop operations when
their malware and techniques get exposed. Many just regroup, refresh their
toolkits, and resume operations when the heat has died down a bit.

Such appears to be the case — at least circumstantially — with DarkHalo,
the Russian-government affiliated threat actor behind the supply attack on
SolarWinds that rattled the industry in a manner unlike any malicious
campaign in recent memory.

Researchers at Kaspersky this week said they had detected a new backdoor
they have dubbed "Tomiris," which has multiple attributes that suggest a
link to "Sunshuttle," a second-stage malware that DarkHalo used in its
SolarWinds campaign. This includes the programming language used to
Tomiris, its obfuscation and persistence mechanisms, and the general
workflow of the two malware samples.

Kaspersky discovered the Tomiris backdoor in June while investigating
successful DNS hijacking incidents that impacted government agencies of a
country that previously belonged to the Soviet Union and is now a member of
the nine-country Commonwealth of Independent States. The security vendor
described the DNS hijacking incidents as happening in brief periods in
December 2020 and January 2021. In the attacks, the threat actor redirected
traffic from the impacted government email servers to servers they
controlled. Credential theft appears to have been the motive for the
campaign, Kaspersky said in a report this week.

While the similarities between Tomiris and Sunshuttle alone are not enough
to conclusively link the former to DarkHalo, they do suggest the two
malware samples were developed by the same author or had shared development
practices, according to Kaspersky.

"If our hypothesis proves true, it would show that DarkHalo is able to
rebuild its capabilities relatively quickly after having been caught in the
act," says Ivan Kwiatkowski, senior security researcher at Kaspersky. "It
would also solidify our perception of them as sophisticated and careful
threat actors who are able to set in motion complex attack scenarios, such
as supply chain attacks or DNS hijacking."

DarkHalo, also tracked as Nobelium, UNC2452, and StellarParticle, is a
threat group that several security vendors and others — including the US
government — have linked to Russia's Foreign Intelligence Service, SVR. The
group is responsible for breaking into SolarWinds' software development
environment and embedding a Trojan in signed updates of the company's Orion
network management technology. Some 18,000 organizations received the
Trojanized updates, of which less than 100 are believed to have been
targeted for subsequent attacks and data theft.

SolarWinds' investigation of the breach — after FireEye notified the
company of it in December 2020 — showed DarkHalo actors had begun probing
its networks as early as 2019 and subsequently gained access to its build
environment. They used the access to embed a Trojan called Sunburst in the
Orion product updates that were distributed to 18,000 organizations. The
attackers later used Sunburst to download additional malware on systems
belonging to the 100 or so organizations that were the campaign's main
targets. Targets included US federal government agencies, security vendors,
and large corporations.

Sunshuttle — the malware which bears a resemblance to Tomiris — was one of
the tools DarkHalo actors dropped as part of this second-phase of its
campaign. The malware, written in GoLang, gave the threat actors a way to
communicate with compromised systems and to remotely execute malicious
commands, such as file uploads and downloads. FireEye Mandiant discovered
the DarkHalo actors had used the malware in attacks going back to at least
August 2020, or four months before SolarWinds discovered its Orion updates
had been poisoned.

Malware Similarities

According to Kaspersky, the new Tomiris malware it recently detected is
coded in the Go programming language, just like Sunshuttle. Like its
apparent predecessor, Tomiris uses a single, common obfuscation method to
encode both configurations and network traffic. Both malware families use
similar tactics, such as sleep delays for persistence, and have similar
features built into their functions.

Misspellings in both Tomiris and Sunshuttle code suggest both malware tools
were developed by a team who did not speak English natively. The
researchers also discovered Tomiris on networks where machines had been
infected with Kazuar, a malware tool associated with Russian APT group
Turla, which has code overlaps with DarkHalo's Sunburst.

The researchers made it very clear that the similarities suggest only a
tenuous link between Tomiris and DarkHalo. But if the two are indeed
linked, it shows the DarkHalo group, which vanished without a trace after
the SolarWinds breach was discovered, has resurfaced. To conclusively make
that link, Kaspersky would need additional information, Kwiatkowski says.

"Ideally, we would need to find evidence that one of the families was used
to deploy malware belonging to one of the other two," he says. "Barring
this, if other members of the community confirmed our opinion about the
similarities between Sunshuttle and Tomiris, it would increase our overall
confidence."

Kaspersky has shared its research with victims of the DNS hijacking attacks
and customers of its threat intelligence service. The company continues to
track Tomiris activity but has reached the point where all of the data
available to it has been analyzed, Kwiatkowski says. He invited the broader
security community to replicate Kaspersky's findings to either confirm or
disprove the link between Tomiris and DarkHalo.

Tomiris and its link to DarkHalo, if correct, is another reminder for
enterprise organizations and government entities of just how determined
their cyber adversaries can be, Kwiatkowski notes.

"It shows that perimeter defense is not enough and that steps should be
taken to try and detect attackers while they are inside the network," he
says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210930/78ec13a1/attachment.html>