New Tomiris backdoor was developed by the hackers who hacked SolarWinds

news

Kaspersky security researchers have announced the discovery of a new backdoor that was likely developed by the Nobelium hacking group that carried out last year’s SolarWinds supply chain attack.

This backdoor, called “FoggyWeb”, is a “passive and highly targeted” backdoor developed by the group and used to remotely steal sensitive information from compromised ADFS servers.

Kaspersky discovered a new malware called Tomiris, the first sample of which was used in the real world in February 2021.

Tomiris was discovered while investigating a series of DNS hijacking attacks that targeted multiple government zones in CIS member countries between December 2020 and January 2021. The attacks allow attackers to redirect traffic from government mail servers to machines under their control.

Victims are redirected to a webmail login page where the attacker steals their email credentials and, in some cases, forces them to install a malicious software update that downloads the previously unknown Tomiris backdoor.

Kaspersky said

These hijackings were relatively brief and appear to have primarily targeted the mail servers of the affected organizations.

We don’t know how the blackmailers accomplished this, but it is likely that they somehow obtained credentials to the control panel of the registrar the victims were using

.https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/

Tomiris, once deployed on a system, repeatedly queries the command and control server for more malicious payloads to execute on the compromised device, allowing the attacker to gain a foothold on the victim’s network.

Another variant can collect and leak documents from the compromised system. It automatically uploads recent files that match the extension of interest, such as .doc, .docx, .pdf, and .rar.

Kaspersky found many similarities between the two backdoors (e.g., both were developed in Go, persistence with scheduled tasks, same encoding scheme for C2 communication, automatic sleep trigger to reduce network noise).

We also discovered the Kazuar backdoor, which shares features with the Sunburst malware used to attack SolarWinds on the same network as Tomiris.

They did not, however, rule out that the new backdoor was caused by Russian-backed hackers in the Nobelium country, and pointed to the possibility of a false flag attack to deceive malware researchers.

It is possible that other APTs were aware of the existence of this tool, but it is unlikely that they would try to copy it before it was released

The authors of Sunshuttle began developing Tomiris around December 2020, when the SolarWinds operation was A more likely (but still unconfirmed) hypothesis is that the authors of Sunshuttle started developing Tomiris as a replacement for the burned-out toolset around December 2020, when it was discovered.

What is Nobelium?

Nobelium, the hacking group that carried out the SolarWinds supply chain attack responsible for the compromise of multiple U.S. federal agencies, is a hacking unit of the Russian Foreign Intelligence Service (SVR), also tracked as APT29, The Dukes and Cozy Bear.

In April 2021, the US government formally accused the SVR division of coordinating a “widespread cyber espionage attack” on SolarWinds.

Cybersecurity firm Volexity has also linked the latest attack to the same hacking group operator, based on tactics used in previous incidents dating back to 2018.

In May, Microsoft researchers revealed four more malware families used by Nobelium in other attacks, including a malware downloader named “BoomBox,” a shellcode downloader and launcher named “VaporRage,” an ” EnvyScout”, a malicious HTML attachment named “EnvyScout”, and a loader named “NativeZone”.

In March, we detailed three types of Nobelium malware used to maintain persistence on compromised networks: a command and control backdoor named “GoldMax”, an HTTP tracer tool tracked as “GoldFinder”, and a persistence tool and malware dropper named ” It was a persistence tool and malware dropper named “Sibot”.

Comments

タイトルとURLをコピーしました