Researchers find a new back door likely linked to the SolarWinds attacker
Global cybersecurity firm Kaspersky claims to have discovered a new backdoor called Tomiris, which shows evidence that they are connected to the same actor behind the SolarWinds attacks that were uncovered last year.
Kaspersky researchers Ivan Kwiatkowski and Pierre Delcher said in a blog post that the actor in question, known by the nickname DarkHalo, likely used access to SolarWinds’ Orion network monitoring software servers to gather information that was used to create tomiris.
The study was presented at Kaspersky’s annual Security Analyst Summit, which is taking place online this year due to the pandemic.
News about the SolarWinds attacks came to light in December 2020. Both FireEye and Microsoft describe the attack as a global attack that implanted a Trojan horse in a file that was part of updates to the product; the compromised file was named SUNBURST. The Orion monitoring software runs under Windows.
After the SolarWinds attacks were published, there were no other major discoveries with the suspected actor behind them.
But Kwiatkowski and Delcher said they found traces of a successful DNA hijacking attack against several government organizations in a country that was part of the Commonwealth of Independent States, a name given to countries that came about as a result of the dissolution of the Soviet Union in 1991.
A timeline that summarizes the various steps of the campaign. Courtesy of Kaspersky
The attackers’ path was tracked and a web interface of the corporate email service ZImbra was found to be used, with users being sent to a fake copy of the same.
While researchers found that the main purpose of the back door was to set up a shop on a victim’s system and then download additional malicious components, it was unknown what was downloaded.
“However, another important observation was made: the Tomiris back door turned out to be suspiciously similar to Sunshuttle – [the] Malware used as a result of the infamous SUNBRST attack, “said Kwiatkowski and Delcher.
They cited the following similarities between the two malware components to justify their reasoning that there was a common author:
- Both Sunshuttle and Tomiris were written in the Go programming language.
- Both backdoors used a single encryption / obfuscation scheme to encode both the configurations and network traffic.
- Both used scheduled tasks for persistence and took advantage of randomness and sleep delay to stay hidden.
- There were enough similarities in the general workflow of the two programs – particularly in the way features are distributed within functions – to indicate that they were common development methods.
- English errors were found in Tomiris (“isRunned”) and Sunshuttle (“EXECED” instead of “executed”) strings, which could mean that they were non-native speakers. The DarkHalo actor is said to speak Russian.
- Tomiris was found on networks where Kazuar – the back door known for code overlap with SUNBURST – was present.
Kwiatkowski and Delcher were careful in their conclusions. “None of these items taken individually is enough to associate Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be random, but we still believe that taken together they at least suggest the possibility of joint authorship or joint development practices, ”said Delcher.
Adding Kwiatkowski, “If our suspicion that Tomiris and Sunshuttle are linked is correct, it would shed new light on how threat actors restore their capacities after they are captured. We would like to encourage the threat intelligence community to reproduce this research and provide second opinions “on the similarities we found between Sunshuttle and Tomiris.”
OPENING OF THE ITWIRE SHOP
The eagerly awaited iTWire Shop is now open to our readers.
Visit the iTWire Shop, a leading address for stylish accessories, equipment and gadgets, lifestyle products and portable office utensils for everyday use, drones, zoom lenses for smartphones, software and online training.
PLUS big brands are: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for every country.
We hope that you like the eagerly awaited iTWire shop and that you will find added value.
ENTER THE SHOP NOW!
INTRODUCING ITWIRE TV
iTWire TV brings unique value to the tech sector by providing a range of video interviews, news, views and reviews, and also gives vendors the opportunity to promote your business and marketing messages.
We’ll work with you to develop the message and conduct the interview or product review in a safe and collaborative manner. In contrast to other tech YouTube channels, we create a story around your message and publish it on the ITWire homepage by linking to your message.
Additionally, your interview post message can appear in up to 7 different post ads on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also offer 3 videos in one recording / session if you wish so that you have a range of videos to promote to your clients. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in tech news, views, interviews, reviews, product promos, and events. Plus funny videos from our readers and customers.
SEE WHAT’S ON ITWIRE TV NOW!