Researchers discovered new malware containing several attributes that potentially connect it to DarkHalo, the threat actor behind the Sunburst attack in connection with SolarWinds.

The DarkHalo compromised a widely used enterprise software provider, and used its infrastructure to distribute spyware under the guise of legitimate software updates. After an extensive hunt, the actor seemed to go under the radar with no major discoveries of incidents attributable to this actor following Sunburst.

Researchers found traces of a successful DNS hijacking attack against several government organizations in the same country. DNS hijacking is a type of malicious attack in which a domain name is modified in a way that reroutes network traffic to an attacker-controlled server.

Researchers retrieved the “update” and discovered it deployed a previously unknown backdoor: Tomiris, when tracked the attack path trace to threat actor compromising the corporate email servers.

The Tomiris backdoor turned out to be suspiciously similar to Sunshuttle, a malware deployed as a consequence of the infamous Sunburst attack.

The list of similarities with SunShuttle

  • Tomiris was developed in Go programming language
  • Each backdoor uses a single encryption/obfuscation scheme to encode both configurations and network traffic
  • Both rely on scheduled tasks for persistence, use randomness and sleep delays to hide their activities.
  • It is widely acknowledged that the DarkHalo actor is Russian-speaking
  • Tomiris backdoor was discovered in networks where other machines were infected with Kazuar – the backdoor which is known for its overlapping code with the Sunburst backdoor

Tomiris and SunShuttle if connected is correct, it would shed new light on the way threat actors rebuild capacities after being caught. Threat intelligence should be awake and vigilant.