Kaspersky Labs just recently published a report detailing a link between the Tomiris backdoor and the threat actors behind the SolarWinds attack that occurred towards the end of 2020. In summary, the backdoor closely resembles another piece of malware deployed by DarkHalo, SunShuttle, as well as similar tactics used in finding targets and deploying malware.
Taking a brief detour to revisit the SolarWinds incident. News of the attack began to emerge in December 2020 when FireEye and Microsoft revealed the breach, in which SolarWinds's Orion network management software was compromised to impact as many as 18,000 customers in a software update-based supply-chain attack.
While many customers downloaded and installed the malicious update, those behind the attack would then choose very specific targets that made use of SolarWind’s software. FireEye and Microsoft were perhaps the biggest names who were victims that were disclosed to the public but various important governmental and law-enforcement agencies were also breached.
After months of investigations by various private and public institutions the finger was pointed at advanced persistent threat group DarkHalo, often tracked as APT29. The group is believed to be linked to Russia’s Foreign Intelligence Service (SVR) with operations dating back to 2008. In May 2021, both the UK and US governments attribute the SolarWinds incident to the group.
The group is well known for making extensive use of custom malware strains. In the SolarWinds, incident researchers managed to link several malware strains to the attack including the Sunburst/Solorigate backdoor, Sunspot build server monitoring software, and Teardrop/Raindrop dropper, designed to deploy a Cobalt Strike beacon, on target systems.
Now, after nearly six months of inactivity, researchers have detected Dark Halo activity. The latest campaign involves a DNS hijacking campaign against multiple government agencies in an unnamed Commonwealth of Independent States (CIS) member state. Kaspersky describes the DNS hijacking process as,
“…the authoritative DNS servers for the zones above were switched to attacker-controlled resolvers. These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims…While the malicious redirections were active, visitors were directed to webmail login pages that mimicked the original ones. Due to the fact that the attackers controlled the various domain names they were hijacking, they were able to obtain legitimate SSL certificates from Let’s Encrypt for all these fake pages, making it very difficult for non-educated visitors to notice the attack – after all, they were connecting to the usual URL and landed on a secure page.”
Credentials harvested in this method were likely used to gain initial access to networks so that the Tomiris backdoor could be dropped. Tomiris is written in Go and relies on constantly queries its command-and-control (C2) infrastructure. or executables to download and execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems.
It establishes persistence with scheduled tasks by creating and running a batch file. Rather than hardcoding the C2 server address, the malware connects to a signalization server that provides the URL and port to which the backdoor should connect. Then Tomiris sends GET requests to that URL until the C2 server responds with a JSON object that contains information on what to execute. Tomiris does little other than act as a backdoor capable of downloading other executables.
As to the connection between Tomiris and Dark Halo. Kaspersky researchers noticed similarities between Tomiris and SunShuttle, yet another backdoor strongly linked to DarkHalo. Similarities include:
- Both malware families were developed in Go, with optional UPX packing.
- The same separator (“|”) is used in the configuration file to separate elements.
In the two families, the same encryption/obfuscation scheme is used to encode configuration files and communicate with the C2 server.
- According to Microsoft’s report, Sunshuttle relied on scheduled tasks for persistence as well.
Both families comparably rely on randomness:
- Sunshuttle randomizes its referrer and decoy URLs used to generate benign traffic. It also sleeps 5-10 seconds (by default) between each request.
- Tomiris adds a random delay (0-2 seconds or 0-30 seconds depending on the context) to the base time it sleeps at various times during the execution. It also contains a list of target folders to drop downloaded executables, from which the program chooses at random.
- Tomiris and Sunshuttle both gratuitously reseed the RNG with the output of Now() before each call.
- Both malware families regularly sleep during their execution to avoid generating too much network activity.
- The general workflow of the two programs, in particular, the way features are distributed into functions, feel similar enough that this analyst feels they could be indicative of shared development practices. An example of this is how the main loop of the program is transferred to a new goroutine when the preparation steps are complete, while the main thread remains mostly inactive forever.
- English mistakes were found in both the Tomiris (“isRunned”) and Sunshuttle (“EXECED” instead of “executed”) strings.
Researchers admitted that none of these factors provided the smoking gun that definitively links DarkHalo to Tomiris, however, another piece of evidence presents a stronger case for the linking of the malware to the APT group.
The victim observed in the Tomiris attack was also infected with the Kazuar backdoor. This is still not the smoking gun researchers would need to say for certain, but it does provide further evidence of a potential connection and the possibility of a false flag attack remains likely.
The earliest Tomiris sample was detected in February 2021, which was at least one month before SunShuttle information was released to the public. This also provides some more evidence supporting the link to DarkHalo as it is unlikely other APT groups had in-depth knowledge of SunShuttle, to keep operational security high.
Researchers for Kaspersky believe that Tomiris began its development cycle when the SolarWinds incident was discovered. Those behind SolarWinds would know that their toolset would be compromised upon discovery and would need to develop new malware tools like backdoors for other planned operations.
Kaspersky believes being able to prove a definite link is important as it would show how quickly APT groups can recover from discovery and develop new malware. To highlight Kaspersky’s findings Pierre Delcher, a senior security researcher at Kaspersky, said,
“None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices.”