The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, new findings from Kaspersky reveal.
“Tomiris’s endgame consistently appears to be the regular theft of internal documents,” security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. “The threat actor targets government and diplomatic entities in the CIS.”
The Russian cybersecurity firm’s assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023.
Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.
Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar, which is attributed to the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).
Spear-phishing attacks mounted by the group have leveraged a “polyglot toolset” comprising a variety of low-sophistication “burner” implants that are repeatedly deployed against the same targets.
Besides using open source or commercially available offensive tools, the custom malware arsenal used by the group falls into one of the three categories: downloaders, backdoors, and information stealers –
- Telemiris – A Python backdoor that uses Telegram as a command-and-control (C2) channel.
- Roopy – A Pascal-based file stealer that’s designed to hoover files of interest every 40-80 minutes and exfiltrate them to a remote server.
- JLORAT – A file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots.
Kaspersky’s investigation of the attacks has further identified overlaps with a Turla cluster tracked by Google-owned Mandiant under the name UNC4210, uncovering that the QUIETCANARY (aka TunnusSched) implant was deployed by means of Telemiris.
“More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy,” the researchers explained.
“These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem. All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample. The TunnusSched sample was blocked as well.”
That said, despite the potential ties between the two groups, Tomiris is said to be separate from Turla owing to differences in their targeting and tradecrafts, once again raising the possibility of a false flag operation.
On the other hand, it’s also highly probable that Turla and Tomiris collaborate on select operations or that both the actors rely on a common software provider, as exemplified by Russian military intelligence agencies’ use of tools supplied by a Moscow-based IT contractor named NTC Vulkan.
“Overall, Tomiris is a very agile and determined actor, open to experimentation,” the researchers said, adding “there exists a form of deliberate cooperation between Tomiris and Turla.”