Cybersecurity researchers on Wednesday disclosed a beforehand undocumented backdoor seemingly designed and developed by the Nobelium superior persistent menace (APT) behind final 12 months’s SolarWinds provide chain assault, becoming a member of the menace actor’s ever-expanding arsenal of hacking instruments.
Moscow-headquartered agency Kaspersky codenamed the malware “Tomiris,” calling out its similarities to a different second-stage malware used through the marketing campaign, SUNSHUTTLE (aka GoldMax), focusing on the IT administration software program supplier’s Orion platform. Nobelium can also be identified by the monikers UNC2452, SolarStorm, StellarParticle, Darkish Halo, and Iron Ritual.
“Whereas supply-chain assaults had been already a documented assault vector leveraged by various APT actors, this particular marketing campaign stood out because of the excessive carefulness of the attackers and the high-profile nature of their victims,” Kaspersky researchers mentioned. “Proof gathered up to now signifies that Darkish Halo spent six months inside Orion IT’s networks to excellent their assault and be sure that their tampering of the construct chain would not trigger any hostile results.”
Microsoft, which detailed SUNSHUTTLE in March 2021, described the pressure as a Golang-based malware that acts as a command-and-control backdoor, establishing a safe reference to an attacker-controlled server to fetch and execute arbitrary instructions on the compromised machine in addition to exfiltrate recordsdata from the system to the server.
The brand new Tomiris backdoor, discovered by Kaspersky in June this 12 months from samples relationship again to February, can also be written in Go and deployed through a profitable DNS hijacking assault throughout which targets trying to entry the login web page of a company e mail service had been redirected to a fraudulent area arrange with a lookalike interface designed to trick the guests into downloading the malware underneath the guise of a safety replace.
The assaults are believed to have been mounted towards a number of authorities organizations in an unnamed CIS member state.
“The principle goal of the backdoor was to determine a foothold within the attacked system and to obtain different malicious parts,” the researchers mentioned, along with discovering various similarities starting from the encryption scheme to the identical spelling errors that collectively trace on the “chance of frequent authorship or shared growth practices.”
This isn’t the primary time overlaps have been found between completely different instruments put to make use of by the menace actor. Earlier this 12 months, Kaspersky’s evaluation of Sunburst revealed various shared options between the malware and Kazuar, a .NET-based backdoor attributed to the Turla group. Apparently, the cybersecurity firm mentioned it detected Tomiris in networks the place different machines had been contaminated with Kazuar, including weight to prospects that the three malware households could possibly be linked to one another.
Having mentioned that, the researchers identified it is also a case of a false flag assault, whereby menace actors intentionally reproduce the ways and methods adopted by a identified adversary in an try to mislead attribution.
The revelation comes days after Microsoft took the wraps of a passive and extremely focused implant dubbed FoggyWeb that was employed by the Nobelium group to ship further payloads and steal delicate info from Energetic Listing Federation Companies (AD FS) servers.