The Russian-speaking threat actor behind the backdoor known as Tomiris is primarily focused on intelligence gathering in Central Asia, new research from Kaspersky reveals.
Security researchers Pierre Delcher and Ivan Kwiatkowski said, “The endgame of Tomiris seems to be a constant theft of internal documents consistently.” Said In an analysis released today. “Threat actors are targeting CIS government and diplomatic agencies.”
The latest assessment of the Russian cybersecurity firm is based on three new attack campaigns launched by hacking crews between 2021 and 2023.
Tomiris first came to light in September 2021, when Kaspersky highlighted a potential connection to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard). Nobelium is the Russian state group behind the SolarWinds supply chain attack on him.
We also found similarities between the backdoor and another malware strain called Kazuar attributed to the Turla group (Krypton, Secret Blizzard, Venomous Bear, or Urobros).
The spear phishing campaign launched by this group utilizes a “polyglot toolset” consisting of a variety of unsophisticated “burner” implants coded in various programming languages and deployed repeatedly against the same target. doing.
Besides using open source or commercial attack tools, the custom malware arsenal used by this group falls into one of three categories: downloaders, backdoors, and information theft.
- Telemyris – A Python backdoor using Telegram as a command and control (C2) channel.
- loopy – A Pascal-based file stealer designed to hoover targeted files every 40-80 minutes and exfiltrate them to a remote server.
- JLORAT – A file stealer written in Rust that collects system information, executes commands issued by C2 servers, uploads and downloads files, and captures screenshots.
Kaspersky’s investigation of the attack further identified an overlap with the Turla cluster tracked by Google-owned Mandiant under the name UNC4210, where QUIETCANARY (aka TunnusSched) implants were deployed by Telemiris against government targets within the CIS. It became clear that it had been
“More precisely, on September 13, 2022, at approximately 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris. First the Python Meterpreter loader, then JLORAT and Roopy was,” explained the researcher.
“These efforts were thwarted by a security product, and the attacker repeatedly attempted from various locations in the file system. All of these attempts failed. After a one-hour pause, the operator 07: Retryed to 19 UTC Time spent using TunnusSched/QUIETCANARY samples.TunnusSched samples were also blocked.”
However, despite the potential ties between the two groups, Tomiris is said to be separate from Tara. This is due to differences in targeting and trade him craft, again increasing the likelihood of false flag operations.
On the other hand, as evidenced by Turla and Tomiris collaborating on certain operations or by the Russian military intelligence using tools provided by a Moscow-based IT contractor named NTC, It is very likely that both attackers rely on a common software provider. Balkan.
“Overall, Tomiris is a very agile and strong-willed actor, open to experimentation,” said the researchers, adding that “a deliberate form of cooperation exists between Tomiris and Turula.”