Security News > 2021 > September > New Tomiris Backdoor Found Linked to Hackers Behind SolarWinds Cyberattack
Cybersecurity researchers on Wednesday disclosed a previously undocumented backdoor likely designed and developed by the Nobelium advanced persistent threat behind last year's SolarWinds supply chain attack, joining the threat actor's ever-expanding arsenal of hacking tools.
"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky researchers said.
"Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT's networks to perfect their attack and make sure that their tampering of the build chain wouldn't cause any adverse effects."
The new Tomiris backdoor, found by Kaspersky in June this year from samples dating back to February, is also written in Go and deployed via a successful DNS hijacking attack during which targets attempting to access the login page of a corporate email service were redirected to a fraudulent domain set up with a lookalike interface designed to trick the visitors into downloading the malware under the guise of a security update.
"The main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components," the researchers said, in addition to finding a number of similarities ranging from the encryption scheme to the same spelling mistakes that collectively hint at the "Possibility of common authorship or shared development practices."
Interestingly, the cybersecurity company said it detected Tomiris in networks where other machines were infected with Kazuar, adding weight to prospects that the three malware families could be linked to each other.