Cybersecurity researchers on Wednesday disclosed a previously undocumented backdoor likely designed and developed by the Nobelium advanced persistent threat (APT) behind last year’s SolarWinds supply chain attack, joining the threat actor’s ever-expanding arsenal of hacking tools.
Moscow-headquartered firm Kaspersky codenamed the malware “Tomiris,” calling out its similarities to another second-stage malware used during the campaign, SUNSHUTTLE (aka GoldMax), targeting the IT management software provider’s Orion platform. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual.
“While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims,” Kaspersky researchers said. “Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT’s networks to perfect their attack and make sure that their tampering of the build chain wouldn’t cause any adverse effects.”
Microsoft, which detailed SUNSHUTTLE in March 2021, described the strain as a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to fetch and execute arbitrary commands on the compromised machine as well as exfiltrate files from the system to the server.
images from Hacker News