Security outfit Kaspersky has presented research on what appears to be the second new tool of the Nobelium advanced persistent threat group outed so far this week – a piece of malware dubbed Tomiris.
The new malware is linked to an earlier tool known as Sunshuttle, itself a second-stage successor to the Sunburst malware used in the high-profile supply-chain attack carried out on SolarWinds’ Orion IT monitoring system last year.
“While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims,” Kaspersky’s researchers claim in the report, presented at the Security Analyst Summit 2021 today. “It is believed that when FireEye discovered the first traces of the campaign, the threat actor (DarkHalo aka Nobelium) had already been working on it for over a year.”
The Sunshuttle second-stage malware was written in Go and used an HTTPS connection to an external command-and-control server for updates and exfiltration.
The new Tomiris backdoor, retrieved by Kaspersky in June this year from samples dating back to February, is also written in Go – and that’s just the first of the similarities noted by the researchers.
“The same separator is used in the configuration file to separate elements,” according to the researchers. “In the two families, the same encryption/obfuscation scheme is used to encode configuration files and communicate with the C2 server. Both families comparably rely on randomness. Both malware families regularly sleep during their execution to avoid generating too much network activity.
“The general workflow of the two programs, in particular the way features are distributed into functions, feel similar enough that this analyst feels they could be indicative of shared development practices. An example of this is how the main loop of the program is transferred to a new routine when the preparation steps are complete, while the main thread remains mostly inactive forever. English mistakes were found in both the Tomiris (‘isRunned’) and Sunshuttle (‘EXECED’ instead of ‘executed’) strings,” according to the report.
“None of these items taken individually is enough to link Tomiris and Sunshuttle with sufficient confidence,” admitted Kaspersky security researcher Pierre Delcher in a statement issued ahead of the presentation. “We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices.”
“If our guess that Tomiris and Sunshuttle are connected is correct,” added fellow researcher Ivan Kwiatkowski, “it would shed new light on the way threat actors rebuild capacities after being caught. We would like to encourage the threat intelligence community to reproduce this research and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris.”
In the report’s conclusion, the pair admit that “we’re still missing one piece of evidence that would allow us to attribute them all to a single threat actor,” and raised the possibility of a “false flag attack” in which unknown threat actors simply tried to copy the design of Sunshuttle in order to throw researchers off the scent. “A much likelier (but yet unconfirmed) hypothesis,” the report noted, “is that Sunshuttle’s authors started developing Tomiris around December 2020 when the SolarWinds operation was discovered, as a replacement for their burned toolset.”
While Kaspersky’s research concluded Nobelium ceased operations following the SolarWinds hack and that “no subsequent attacks were ever linked to them,” it’s a little behind the times: earlier this week Microsoft issued a warning of a newly-discovered malware known as FoggyWeb and designed to exfiltrate data from and introduce a backdoor into Active Directory Federation Services (AD FS) servers which, it claimed, came from the Nobelium group and was in active use from April this year.
According to Kaspersky’s report, the Tomiris infections – the targets of which it has not disclosed – were the result of DNS hijacking on the “government zones of a CIS member state” during December 2020 and January 2021, harvesting credentials and prompting to install a “security update” which acted as a loader for the malware.
Full details of the research, including indicators of compromise (IOCs) for Tomiris, can be found on Kaspersky’s Securelist. The company did not respond to a query as to whether Microsoft’s findings invalidate any of its own assumptions in time for publication. ®