Tomiris backdoor

At the SAS 2021 conference, our experts talked about the Tomiris backdoor, which appears to be linked to the DarkHalo group.

Our experts have found a new backdoor that cybercriminals are already using in targeted attacks. The backdoor, called Tomiris, is similar in a number of ways with Sunshuttle (aka GoldMax), malware that DarkHalo (aka Nobelium) used in a supply-chain attack against SolarWinds customers.

Tomiris’ capabilities

The Tomiris backdoor’s primary task is to deliver additional malware to the victim’s machine. It is in constant communication with the cybercriminals’ C&C server and downloads executable files, which it runs with the specified arguments, from there.

Our experts also found a file-stealing variant. The malware selected recently created files with certain extensions (.doc, .docx, .pdf, .rar, and others), then uploaded them to the C&C server.

The backdoor’s creators furnished it with various features to deceive security technologies and mislead investigators. For example, on delivery, the malware does nothing for 9 minutes, a delay likely to fool any sandbox-based detection mechanisms. What’s more, the C&C server’s address is not encoded directly inside Tomiris — the URL and port information come from a signaling server.

How Tomiris gets on computers

To deliver the backdoor, cybercriminals use DNS hijacking to redirect traffic from the target organizations’ mail servers to their own malicious sites (probably by obtaining credentials for the control panel on the site of the domain name registrar). That way, they can lure clients to a page that looks like the real mail service’s login page. Naturally, when somebody enters credentials on the fake page, the malefactors immediately get those credentials.

Of course, sites sometimes request users install a security update to function. In this case, the update was actually a downloader for Tomiris.

For more technical details about the Tomiris backdoor, along with indicators of compromise and observed connections between Tomiris and DarkHalo tools, see our Securelist post.

How to stay safe

The malware delivery method we describe above will not work if the computer accessing the Web mail interface is protected by a robust security solution. In addition, any activity by APT operators in the corporate network can be detected with the aid of the experts powering Kaspersky Managed Detection and Response.