In December of last year the media covered the Sunburst security incident. Advanced persistent threat actor (APT) DarkHalo had compromised a widely used enterprise software provider and used its infrastructure for a long time to distribute spyware under the guise of legitimate software updates. However, after the media hype and an intensive search from the security community, DarkHalo seemed to have either made himself invisible or disconnected but…
Kaspersky says the threat may still be latent. Its Global Research and Analysis Team (GReAT) found last June traces of a successful DNS hijacking attack against several government organizations in the same country. In the case accessed by the Russian company, the targets of the attack were trying to access the web interface of a corporate email service, but were redirected to a fake copy of that web interface and then tricked into downloading a malicious software update.
Kaspersky were the ones who recovered the ‘update’ from these attacks and discovered that it deployed a previously unknown backdoor, now known as Tomiris. This backdoor would have the objective of entering the attacked system and downloading other malicious components. Kaspesrsky noticed how the Tomiris backdoor looked suspiciously similar to Sunshuttle, the malware deployed in the Sunburst attack.
The company has found several striking similarities. Like Sunshuttle, Tomiris had been developed in the Go programming language. Both are based on scheduled tasks for persistence, use randomness and delays to hide their activities and have a very similar workflow, moreover, Tomiris also shows some English errors in its strings, which leads to think that it has not been created by people who speak this language natively.
Finally, the Tomiris backdoor was discovered on networks where other machines were infected with Kazuar, a backdoor known for its Sunburst backdoor code overlaps. The best we can deal with these situations is to take security measures and also remember that this threat targets companies and that is why it is even more important to take security measures on their part.
