In December 2020, news of the SolarWinds incident took the world countries by cyclone. While supply-chain attacks was previously a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. It is believed that when FireEye detected the first retraces of the campaign, the threat actor( DarkHalo aka Nobelium) had already been working on it for over a year. Evidence gleaned so far indicates that DarkHalo expend six months inside OrionIT’s networks to perfect their strike and made to ensure that their tampering of the build chain wouldn’t make any adverse effects.
The first malicious update was pushed to SolarWinds customers in March 2020, and it contained a malware named Sunburst. We is impossible to assume that DarkHalo leveraged this access to collect intelligence until the day they were discovered. The following timeline sums up the differences between paces of information campaigns 😛 TAGEND
In December 2020, we analyzed the DNS-based protocol of the malicious implant and ascertained it leaked the identity of the main victims selected for further exploitation by DarkHalo. One month later, we discovered interesting similarities between Sunburst and Kazuar, another malware family linked to Turla by Palo Alto.
In March 2021, FireEye and Microsoft released additional information about the second-stage malware used during the campaign, Sunshuttle( aka GoldMax ). Later in May 2021, Microsoft likewise attributed spear-phishing campaign impersonating a US-based organization to Nobelium. But by then the road had already gone cold: DarkHalo had long since ceased runnings, and no subsequent strikes were ever linked to them.
Later this year, in June, our internal systems acquired tracings of a successful DNS hijacking affect several government zones of a CIS member state. These incidents arose during short periods in December 2020 and January 2021 and allowed the malicious threat performer to redirect traffic on the part of governments mail servers to machines they controlled.
Zone Period during which the authoritative servers were malicious Hijacked realms
mfa .*** December 22 -2 3, 2020 and January 13 -1 4, 2021 mail.mfa.*** kk.mfa .***
invest .*** December 28, 2020 to January 13, 2021 mail.invest.*** fiu .*** December 29, 2020 to January 14, 2021 mx1.fiu.*** mail.fiu .***
infocom .*** January 13 -1 4, 2021 mail.infocom.***
During these time frames, the authoritative DNS servers for the zones above were switched to attacker-controlled resolvers. These hijacks were for the most part relatively brief and appear to have chiefly targeted the mail servers of the affected organisations. We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.
While the malicious redirections were active, guests were directed to webmail login pages that simulated the original ones. Due to the fact that the attackers controlled the various domain names they were hijacking, they were able to obtain legitimate SSL certificates from Let’s Encrypt for all these fake pages, attaining it very difficult for non-educated visitors to notice the attack- after all, they were connecting to the usual URL and landed on a procure page.
Malicious webmail login page set up by the attackers
In all likelihood, any credentials typed in such webpages were harvested by the attackers and reused in subsequent stages of the two attacks. In some occurrences, they also added a message on the page to trick the user into installing a malicious” security update “. In the screenshot above, the text reads:” to continue working with the email service, you need to install a security update: download the update “.
Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system. Before performing any functionings, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems. It establishes persistence with scheduled chores by creating and operating a batch file containing the following command 😛 TAGENDSCHTASKS/ CREATE/ SC DAILY/ TN StartDVL/ TR “[ route to self] “/ ST 10:00
The C2 server address is not embedded directly inside Tomiris: instead, it connects to a signalization server that provides the URL and port to which the backdoor should connect. Then Tomiris sends GET requests to that URL until the C2 server answers with a JSON object of the following structure 😛 TAGEND “filename”: “[ filename] “, “args”: “[ contentions] “, “file”: “[ base6 4-encoded executable] ”
This object describes an executable that is plummeted on the victim machine and run with the provided statements. This feature and the facts of the case that Tomiris has no capability beyond downloading more tools indicates there are additional parts to this toolset, but regrettably we have so far been unable to recover them.
We also identified a Tomiris variant( internally named “SBZ”, MD5 51AA89452A9E57F646AB64BE6217788E) which acts as a filestealer, and uploads any recent file matching a hardcoded set of expansions (. doc,. docx,. pdf,. rar, etc .) to the C2.
Finally, some small clues detected during this investigation indicate with low confidence that the authors of Tomiris could be Russian-speaking.
The Tomiris connection
While analyzing Tomiris, we noticed a number of similarities with the Sunshuttle malware discussed above 😛 TAGEND
Both malware families were developed in Go, with optional UPX packing. The same separator (“|”) is used in the configuration file to separate components. In the two households, the same encryption/ obfuscation strategy is used to encode configuration files and connected to the C2 server. According to Microsoft’s report, Sunshuttle relied on scheduled tasks for persistence as well. Both households comparably rely on randomness:
Sunshuttle randomizes its referrer and decoy URLs used to generate benign traffic. It also sleeps 5-10 seconds( by default) between each request. Tomiris adds a random postponement( 0-2 seconds or 0-30 seconds will vary depending on the context) to the base day it sleeps at various hours during the execution. It also contains a list of target folders to drop downloaded executables, from which the program picks at random. Tomiris and Sunshuttle both gratuitously reseed the RNG with the output of Now() before each call.
Both malware households regularly sleep during their execution to avoid generating too much network activity. The general workflow of the two programs, in particular the style features are distributed into functions, feel similar enough that this analyst feels they could be indicative of shared development practises. An example of this is how the main loop of the program is transferred to a new goroutine when the preparation steps are complete, while the main thread remains mostly inactive forever. English mistakes were found in both the Tomiris (” isRunned “) and Sunshuttle (” EXECED” instead of “executed”) strings.
None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be accidental, but still be considered that taken together they at least recommend the possibility of common authorship or shared development practices.
A final piece of circumstantial evidence we would like to present is the discovery that other machines in a network infected with Tomiris were infected with the Kazuar backdoor. Unfortunately, the available data doesn’t allow us to determine whether one of the malicious programs leads to the deployment of the other, or if they originate from two independent incidents.
In the end, a number of clues hint at links between Sunburst, Kazuar and Tomiris, but it feel like we’re still missing one part of evidence that would allow us to attribute them all to a single threat actor. We would like to conclude this segment by addressing the possibility of a false flag attempt: it could be argued that due to the high-profile nature of Sunshuttle, other menace performers could have purposefully tried to reproduce its design in order to misinform analysts. The earliest Tomiris sample we are aware of appeared in February 2021, 1 month before Sunshuttle was revealed to the world. While it is possible that other APTs were aware of the existence of this tool at this time, we feel it is unlikely they would try to imitate it before it was even disclosed. A much likelier( but yet unconfirmed) hypothesis is that Sunshuttle’s writers started developing Tomiris around December 2020 when the SolarWinds operation was discovered, as a substitution for their burned toolset.
If our guess that Tomiris and Sunshuttle are connected is correct, it would shed new light on the way threat performers rebuild capacities after get caught. We would like to encourage the threat intelligence community to reproduce such research, and render second beliefs about the similarities we detected between Sunshuttle and Tomiris. In order to bootstrap endeavours, Kaspersky is pleased to announce a free update to our Targeted Malware Reverse Engineering class, featuring a whole new track dedicated to reverse engineering Go malware and using Sunshuttle as an example. The first two parts are also available on YouTube 😛 TAGEND
Indicators of compromise
Tomiris Downloader 109106feea31a3a6f534c7d923f2d9f7 7f8593f741e29a2a2a61e947694445f438b33380 8900cf88a91fa4fbe871385c8747c7097537f1b5f4a003418d84c01dc383dd75 fd5 9dd7bb54210a99c1ed677bbfc03a8 292c3602eb0213c9a0123fdaae522830de3fad95 c9db 4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4
Tomiris staging server 51. 195.68 [.] 217
Tomiris signalization server update.softhouse [.] storage
Tomiris build path C:/Projects/go/src/Tomiris/main.go