KUALA LUMPUR, 1/10/2021 – The Sunburst security incident hit the headlines in December 2020: The DarkHalo threat actor compromised a widely used enterprise software provider and for a long time used its infrastructure to distribute spyware under the guise of legitimate software updates. After the media hype and an extensive hunt by the security community, the actor seemed to go under the radar. After Sunburst, there were no major discoveries of incidents attributable to this actor – it appeared that the DarkHalo APT went offline. However, the results of recent research conducted by the Kaspersky Global Research and Analysis Team shows that this may not be the case.
In June 2021, more than six months after DarkHalo went dark, Kaspersky researchers found traces of a successful DNS hijacking attack against several government organizations in the same country. DNS hijacking is a type of malicious attack in which a domain name (used to connect the URL address of a website with the IP address of the server where the website is hosted) is modified in a way that reroutes network traffic to an attacker controlled server. In the case that Kaspersky discovered, the targets of the attack were trying to access the web-interface of a corporate email service but were redirected to a fake copy of that web-interface and then tricked into downloading a malicious software update. Following the attackers’ path, Kaspersky researchers retrieved the “update” and discovered it deployed a previously unknown backdoor: Tomiris.
Further analysis showed that the main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components. The latter, unfortunately, were not identified during the investigation; however, one other important observation was made: the Tomiris backdoor turned out to be suspiciously similar to Sunshuttle – malware deployed as a consequence of the infamous Sunburst attack.