New Backdoor Linked to Infamous Sunburst Hackers

sunburst hackers backdoor tomiris

Researchers at Kaspersky Labs believe they’ve detected new activity from the supposedly dormant hacker group DarkHalo.

They discovered a brand-new backdoor called Tomiris, a so-called “advanced persistent threat” (APT). It was found during a recent DNS redirect attack aimed at several undisclosed corporate targets. The targets, Kaspersky reports, were trying to log into their web-based email client, which was redirected towards a spoofed “update” page, which then tried downloading the aforementioned malware.

So, how does this all connect to the infamous hackers? First and foremost, the Tomiris backdoor was supplied via a DNS hijacking method similar to supply-chain attacks DarkHalo employed during its glory days. On top of that, the backdoor strongly resembles the Sunshuttle malware, which was the hacking group’s signature app.

The author of the backdoor used the Go programming language, every backdoor was protected by single encryption, the tasks were schedule-based with randomized intervals for harder detection, and there were even similar grammatical errors in the code, implying a non-English speaker wrote it. Cybersecurity specialists believed DarkHalo was a group of Russian hackers.

The similarities don’t end there: Researchers have found that Tomiris and Sunshuttle’s behaviors flow almost identically, suggesting they were parts of the same development process. Also, Tomiris appeared on networks with machines infected by Kazuar, another backdoor that shares similarities with tools used in DarkHalo’s Sunburst attack.

“If our guess that Tomiris and Sunshuttle are connected is correct, it would shed new light on the way threat actors rebuild capacities after being caught. We would like to encourage the threat intelligence community to reproduce this research and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris,” said Ivan Kwiatkowski, a security researcher at Kaspersky.

DarkHalo rose to infamy in December 2020 when it executed the Sunburst attack, affecting supply chains for enterprise software. The group managed to infiltrate the system using DNS spoofing and then pushed spyware apps onto thousands of users who believed they were downloading software updates. Following a massive – though unsuccessful – media and security hunt, DarkHalo went off the grid. If the group has come back, it could imply another wave of attacks is on the way, so keep your Kaspersky antivirus and other security apps up to date. Just in case.