SAS 2021: ‘Tomiris’ Backdoor Linked to SolarWinds Malware

Newly discovered code resembles the Kazuar and the Sunshuttle second-stage distributed by in the supply-chain attacks.

Researchers have discovered a campaign delivering a previously unknown backdoor they’re calling Tomiris. Analysis of it suggests that we may not have heard the last from the Nobelium advanced persistent threat (APT) behind the sprawling SolarWinds supply-chain attacks of 2020.

Namely, Tomiris has a number of similarities to the Sunshuttle second-stage malware (aka GoldMax) that was distributed by Nobelium (aka DarkHalo). That’s according to a report presented at the virtual Analyst Summit (SAS) 2021 on Wednesday, from Kaspersky researchers Pierre Delcher and Ivan Kwiatkowski.

Nobelium also isn’t the only APT that could have links to the malware; the researchers said that the targeting of the Tomiris campaign shows a number of overlaps with Kazuar, a backdoor linked to the Turla APT, first reported by Palo Alto in 2017 (though its development goes back to 2015).

History Repeats Itself: SolarWinds Keeps Blowing

As the researchers noted, news of the SolarWinds attacks rocked the world last December.

The espionage attacks started with SolarWinds, a major U.S. IT firm, spread to its clients, and went undetected for months. The

Read More: https://threatpost.com/tomiris-backdoor-solarwinds-malware/175091/