[MART] - Daily Diary #359 - Meet Tomiris Backdoor, Nobelium's New Malware

CTAS-MAT ctas-mat at appgate.com
Thu Sep 30 21:08:02 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

09/30/2021 - Diary entry #359

This week a new Backdoor malware was disclosed. Named Tomiris Backdoor, it's believed to be developed by the APT Group Nobelium (a.k.a. DarkHalo). Nobelium became famous in late 2020, as being responsible for the SolarWinds' supply-chain attack.

This threat presents lots of similarities with GoldMax (a.k.a. Sunshuttle) covered in our Daily Diary #217, developed by Nobelium and found in some of the infected targets in the SolarWinds' incident. Tomiris and GoldMax share a very similar code, adopting the same encryption and obfuscation techniques to encode their strings, configuration and communication. Both also use scheduled tasks to get persistence on the infected machine. Although similar, Tomiris seems to be a much simpler threat, having little functionality besides downloading additional malware, indicating that it's probably a part of a major attack chain.

Despite the similarities altogether linking Nobelium with Sunshuttle, it can also be an attempt to mislead security researchers into a false attribution. Regardless, Tomiris samples were discovered in an environment in which other computers were infected with Kazuar, another malware sample from Nobelium. So this discovery reveals that the Nobelium group is still active, and increasing its toolkit.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210930/c05fb096/attachment.htm>


More information about the MART mailing list