Security News > 2021 > September > Kaspersky links new Tomiris malware to Nobelium group

Security outfit Kaspersky has presented research on what appears to be the second new tool of the Nobelium advanced persistent threat group outed so far this week - a piece of malware dubbed Tomiris.

The new malware is linked to an earlier tool known as Sunshuttle, itself a second-stage successor to the Sunburst malware used in the high-profile supply-chain attack carried out on SolarWinds' Orion IT monitoring system last year.

The new Tomiris backdoor, retrieved by Kaspersky in June this year from samples dating back to February, is also written in Go - and that's just the first of the similarities noted by the researchers.

"None of these items taken individually is enough to link Tomiris and Sunshuttle with sufficient confidence," admitted Kaspersky security researcher Pierre Delcher in a statement issued ahead of the presentation.

"If our guess that Tomiris and Sunshuttle are connected is correct," added fellow researcher Ivan Kwiatkowski, "It would shed new light on the way threat actors rebuild capacities after being caught. We would like to encourage the threat intelligence community to reproduce this research and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris."

While Kaspersky's research concluded Nobelium ceased operations following the SolarWinds hack and that "No subsequent attacks were ever linked to them," it's a little behind the times: earlier this week Microsoft issued a warning of a newly-discovered malware known as FoggyWeb and designed to exfiltrate data from and introduce a backdoor into Active Directory Federation Services servers which, it claimed, came from the Nobelium group and was in active use from April this year.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/29/kaspersky_links_new_tomiris_malware/