Kaspersky links new Tomiris malware to Nobelium group

Typical: you wait months for new nasties then two come along at once


Security outfit Kaspersky has presented research on what appears to be the second new tool of the Nobelium advanced persistent threat group outed so far this week – a piece of malware dubbed Tomiris.

The new malware is linked to an earlier tool known as Sunshuttle, itself a second-stage successor to the Sunburst malware used in the high-profile supply-chain attack carried out on SolarWinds' Orion IT monitoring system last year.

"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky's researchers claim in the report, presented at the Security Analyst Summit 2021 today. "It is believed that when FireEye discovered the first traces of the campaign, the threat actor (DarkHalo aka Nobelium) had already been working on it for over a year."

The Sunshuttle second-stage malware was written in Go and used an HTTPS connection to an external command-and-control server for updates and exfiltration.

The new Tomiris backdoor, retrieved by Kaspersky in June this year from samples dating back to February, is also written in Go – and that's just the first of the similarities noted by the researchers.

"The same separator is used in the configuration file to separate elements," according to the researchers. "In the two families, the same encryption/obfuscation scheme is used to encode configuration files and communicate with the C2 server. Both families comparably rely on randomness. Both malware families regularly sleep during their execution to avoid generating too much network activity.

"The general workflow of the two programs, in particular the way features are distributed into functions, feel similar enough that this analyst feels they could be indicative of shared development practices. An example of this is how the main loop of the program is transferred to a new routine when the preparation steps are complete, while the main thread remains mostly inactive forever. English mistakes were found in both the Tomiris ('isRunned') and Sunshuttle ('EXECED' instead of 'executed') strings," according to the report.

"None of these items taken individually is enough to link Tomiris and Sunshuttle with sufficient confidence," admitted Kaspersky security researcher Pierre Delcher in a statement issued ahead of the presentation. "We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices."

"If our guess that Tomiris and Sunshuttle are connected is correct," added fellow researcher Ivan Kwiatkowski, "it would shed new light on the way threat actors rebuild capacities after being caught. We would like to encourage the threat intelligence community to reproduce this research and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris."

In the report's conclusion, the pair admit that "we're still missing one piece of evidence that would allow us to attribute them all to a single threat actor," and raised the possibility of a "false flag attack" in which unknown threat actors simply tried to copy the design of Sunshuttle in order to throw researchers off the scent. "A much likelier (but yet unconfirmed) hypothesis," the report noted, "is that Sunshuttle's authors started developing Tomiris around December 2020 when the SolarWinds operation was discovered, as a replacement for their burned toolset."

While Kaspersky's research concluded Nobelium ceased operations following the SolarWinds hack and that "no subsequent attacks were ever linked to them," it's a little behind the times: earlier this week Microsoft issued a warning of a newly-discovered malware known as FoggyWeb and designed to exfiltrate data from and introduce a backdoor into Active Directory Federation Services (AD FS) servers which, it claimed, came from the Nobelium group and was in active use from April this year.

According to Kaspersky's report, the Tomiris infections – the targets of which it has not disclosed – were the result of DNS hijacking on the "government zones of a CIS member state" during December 2020 and January 2021, harvesting credentials and prompting to install a "security update" which acted as a loader for the malware.

Full details of the research, including indicators of compromise (IOCs) for Tomiris, can be found on Kaspersky's Securelist. The company did not respond to a query as to whether Microsoft's findings invalidate any of its own assumptions in time for publication. ®


Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading

Biting the hand that feeds IT © 1998–2022