SAS 2021: ‘Tomiris’ Backdoor Linked to SolarWinds Malware

2021-09-29 14:45

Researchers have discovered a campaign delivering a previously unknown backdoor they're calling Tomiris.

Namely, Tomiris has a number of similarities to the Sunshuttle second-stage malware that was distributed by Nobelium.

Nobelium also isn't the only APT that could have links to the malware; the researchers said that the targeting of the Tomiris campaign shows a number of overlaps with Kazuar, a backdoor linked to the Turla APT, first reported by Palo Alto in 2017.

When Kaspersky researchers traced the attackers' path, they found that the purported update was actually a previously unknown backdoor: Tomiris, a backdoor designed to establish a foothold in compromised systems that could be used to download additional, as yet unidentified malware.

Tomiris proved suspiciously similar to the Sunshuttle/GoldMax second-stage malware that was deployed by the Sunburst backdoor in the SolarWinds attacks.

The Tomiris backdoor was discovered in networks where other machines were infected with Kazuar - the backdoor which is known for its code overlaps with the Sunburst backdoor.

News URL

https://threatpost.com/tomiris-backdoor-solarwinds-malware/175091/

#backdoor #malware #SAS #solarwinds

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Solarwinds		56	33	102	74	36	245
SAS		11	2	9	2	1	14