Security outfit Kaspersky has presented research on what appears to be the second new tool of the Nobelium advanced persistent threat group outed so far this week – a piece of malware dubbed Tomiris.
The new malware is linked to an earlier tool known as Sunshuttle, itself a second-stage successor to the Sunburst malware used in the high-profile supply-chain attack carried out on SolarWinds' Orion IT monitoring system last year.
"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky's researchers claim in the report, presented at the Security Analyst Summit 2021 today. "It is believed that when FireEye discovered the first traces of the campaign, the threat actor (DarkHalo aka Nobelium) had already been working on it for over a year."
The Sunshuttle second-stage malware was written in Go and used an HTTPS connection to an external command-and-control server for updates and exfiltration.
The new Tomiris backdoor, retrieved by Kaspersky in June this year from samples dating back to February, is also written in Go – and that's just the first of the similarities noted by the researchers.
"The same separator is used in the configuration file to separate elements," according to the researchers. "In the two families, the same encryption/obfuscation scheme is used to encode configuration files and communicate with the C2 server. Both families comp ..
Support the originator by clicking the read the rest link below.
