Discovery of Tomiris Backdoor Linked to Sunshuttle and DarkHalo Hackers

Discovery of Tomiris Backdoor Linked to Sunshuttle and DarkHalo Hackers

Researchers have discovered a new link between Tomiris and DarkHalo, the APT responsible for the SolarWinds hack.

On Wednesday, during the Kaspersky Security Analyst Summit (SAS), researchers stated a new campaign showed commonalities to DarkHalo’s Sunshuttle and “target overlaps” with Kazuar.

The SolarWinds attacks occurred in 2020. SolarWinds Orion network management software was hacked, affecting around 18,000 customers in a software update-based supply-chain attack. While the malicious update might have reached thousands of customers, the threat actors seemed to have only singled out the targets worth further penetration, including Microsoft, FireEye, and government organizations.

Even the Microsoft president said the attack was the most extensive and sophisticated in the world.

The advanced persistent threat (APT) organization DarkHalo/Nobelium was eventually identified as the perpetrator. On target systems, it installed the Sunburst/Solorigate backdoor, Sunspot build server monitoring software, and Teardrop/Raindrop dropper, which was meant to deliver a Cobalt Strike beacon.

The campaign of the Russian state-backed organization was identified as UNC2452. It has been connected to the Sunshuttle/GoldMax backdoor.

In June, Kaspersky discovered a DNS hijacking effort targeting several government institutions in an unidentified CIS member state, following nearly six months of inactivity from DarkHalo.

For the most part, these hijackings were short and appeared to have primarily targeted the afflicted businesses’ mail systems. It’s still unclear how threat actors were able to accomplish this, but there are assumptions that they gained access to the registrar’s control panel through some means.

According to the researchers, users intending to access an email service were routed to a phony site, urging them to download a malicious software update. They were switching genuine DNS servers for compromised zones to attacker-controlled resolvers that made this possible. The Tomiris backdoor was included in this update.

Further investigation revealed that the backdoor’s primary goal was to get a foothold in the targeted machine and download additional malicious components. Unfortunately, the latter was not identified throughout the inquiry.

Tomiris, on the other hand, turned out to be a fascinating find. The backdoor is regarded as “suspiciously identical” to Sunshuttle.

Both backdoors are developed in Golang (Go), and they employ comparable encryption and obfuscation settings for configuration and network traffic management.

Furthermore, both Tomiris and Sunshuttle employ sleep-based delay techniques as well as scheduled activities for persistence. The basic process of the two applications suggests that they were created in the same way.

However, the backdoor has a few features aside from the capacity to download new malware. It suggests that Tomiris is most likely part of a larger operator toolkit.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: