Our experts have found a new backdoor that cybercriminals are already using in targeted attacks. The backdoor, called Tomiris, is similar in a number of ways with Sunshuttle (aka GoldMax), malware that DarkHalo (aka Nobelium) used in a supply-chain attack against SolarWinds customers.
The Tomiris backdoor’s primary task is to deliver additional malware to the victim’s machine. It is in constant communication with the cybercriminals’ C&C server and downloads executable files, which it runs with the specified arguments, from there.
Our experts also found a file-stealing variant. The malware selected recently created files with certain extensions (.doc, .docx, .pdf, .rar, and others), then uploaded them to the C&C server.
The backdoor’s creators furnished it with various features to deceive security technologies and mislead investigators. For example, on delivery, the malware does nothing for 9 minutes, a delay likely to fool any sandbox-based detection mechanisms. What’s more, the C&C server’s address is not encoded directly inside Tomiris — the URL and port information come from a signaling server.
How Tomiris gets on computers
To deliver the backdoor, cybercriminals use DNS hijacking to redirect traffic from the target organizations’ mail servers to their own malicious sites (probably by obtaining credentials for the control panel on the site of the domain name registrar). That way, they can lure clients to a page that looks like the real mail service’s login page. Naturally, when somebody enters credentials on the fake page, the malefactors immediately get those credentials.
Of course, sites sometimes request users install a security update to function. In this case, the update was actually a downloader for Tomiris.
For more technical details about the Tomiris backdoor, along with indicators of compromise and observed connections between Tomiris and DarkHalo tools, see our Securelist post.