{"id":42239,"date":"2021-09-30T13:25:03","date_gmt":"2021-09-30T17:25:03","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=42239"},"modified":"2021-09-30T13:25:03","modified_gmt":"2021-09-30T17:25:03","slug":"tomiris-backdoor","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/tomiris-backdoor\/42239\/","title":{"rendered":"Tomiris backdoor"},"content":{"rendered":"<p>Our experts have found a new backdoor that cybercriminals are already using in targeted attacks. The backdoor, called Tomiris, is similar in a number of ways with Sunshuttle (aka GoldMax), malware that DarkHalo (aka Nobelium) used in a supply-chain attack against SolarWinds customers.<\/p>\n<h2>Tomiris\u2019 capabilities<\/h2>\n<p>The Tomiris backdoor\u2019s primary task is to deliver additional malware to the victim\u2019s machine. It is in constant communication with the cybercriminals\u2019 C&amp;C server and downloads executable files, which it runs with the specified arguments, from there.<\/p>\n<p>Our experts also found a file-stealing variant. The malware selected recently created files with certain extensions (.doc, .docx, .pdf, .rar, and others), then uploaded them to the C&amp;C server.<\/p>\n<p>The backdoor\u2019s creators furnished it with various features to deceive security technologies and mislead investigators. For example, on delivery, the malware does nothing for 9 minutes, a delay likely to fool any <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/sandbox\/\" target=\"_blank\" rel=\"noopener\">sandbox<\/a>-based detection mechanisms. What\u2019s more, the C&amp;C server\u2019s address is not encoded directly inside Tomiris\u00a0\u2014 the URL and port information come from a signaling server.<\/p>\n<h2>How Tomiris gets on computers<\/h2>\n<p>To deliver the backdoor, cybercriminals use <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/dns-hijacking\/\" target=\"_blank\" rel=\"noopener\">DNS hijacking<\/a> to redirect traffic from the target organizations\u2019 mail servers to their own malicious sites (probably by obtaining credentials for the control panel on the site of the domain name registrar). That way, they can lure clients to a page that looks like the real mail service\u2019s login page. Naturally, when somebody enters credentials on the fake page, the malefactors immediately get those credentials.<\/p>\n<p>Of course, sites sometimes request users install a security update to function. In this case, the update was actually a downloader for Tomiris.<\/p>\n<p>For more technical details about the Tomiris backdoor, along with indicators of compromise and observed connections between Tomiris and DarkHalo tools, see our <a href=\"https:\/\/securelist.com\/darkhalo-after-solarwinds-the-tomiris-connection\/104311\/\" target=\"_blank\" rel=\"noopener\">Securelist post<\/a>.<\/p>\n<h2>How to stay safe<\/h2>\n<p>The malware delivery method we describe above will not work if the computer accessing the Web mail interface is protected by a robust <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">security solution<\/a>. In addition, any activity by APT operators in the corporate network can be detected with the aid of the experts powering <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Managed Detection and Response<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\">\n","protected":false},"excerpt":{"rendered":"<p>At the SAS 2021 conference, our experts talked about the Tomiris backdoor, which appears to be linked to the DarkHalo group.<\/p>\n","protected":false},"author":2581,"featured_media":35071,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[499,4236,337,4235,333],"class_list":{"0":"post-42239","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-apt","10":"tag-darkhalo","11":"tag-sas","12":"tag-sas-2021","13":"tag-security-analyst-summit"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/tomiris-backdoor\/42239\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/tomiris-backdoor\/23437\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/tomiris-backdoor\/18910\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/tomiris-backdoor\/9466\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/tomiris-backdoor\/25503\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/tomiris-backdoor\/23581\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/tomiris-backdoor\/23001\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/tomiris-backdoor\/26156\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/tomiris-backdoor\/25712\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/tomiris-backdoor\/31600\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/tomiris-backdoor\/10112\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/tomiris-backdoor\/17824\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/tomiris-backdoor\/18271\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/tomiris-backdoor\/15371\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/tomiris-backdoor\/27511\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/tomiris-backdoor\/31733\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/tomiris-backdoor\/27661\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/tomiris-backdoor\/29792\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/tomiris-backdoor\/29591\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/sas\/","name":"SAS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/42239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=42239"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/42239\/revisions"}],"predecessor-version":[{"id":42244,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/42239\/revisions\/42244"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/35071"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=42239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=42239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=42239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}