Thursday, February 29, 2024
HomeSECURITYTomiris cybercriminals are actively collecting intelligence in the CIS countries

Tomiris cybercriminals are actively collecting intelligence in the CIS countries


Tomiris cybercriminals are actively collecting intelligence in the CIS countries

Is it true that the group has close ties to other hacker associations?

According to last report Kaspersky Labs, the alleged Russian-speaking Tomiris hacker group behind the backdoor of the same name, is currently focused on intelligence gathering in Central Asia.

“The end goal of Tomiris is invariably the regular theft of internal documents. The attackers target governmental and diplomatic structures in the CIS countries,” security researchers Pierre Delcher and Ivan Kwiatkowski said.

Tomiris first came to light in September 2021, when Kaspersky Lab researchers uncovered the group’s potential ties to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the alleged Russian state group behind attacks on the SolarWinds supply chain.

Phishing attacks organized by the Tomiris group used the Polyglot toolkit, which included the use of many simple “one-time” implants coded in different programming languages. All of them were repeatedly used against the same targets.

Relationships between tools Tomiris in various malware campaigns

In addition to using freeware or commercial tools such as RATel and Warzone RAT (aka Ave Maria), the custom malware arsenal used by Tomiris includes downloaders, backdoors, and information thieves:

  • Telemiris is a Python backdoor that uses Telegram as a C2 channel.
  • Roopy is a Pascal-based file stealer designed to look at files of interest every 40-80 minutes and send them to a remote server.
  • JLORAT is a file stealer written in Rust that collects system information, executes commands issued by a C2 server, downloads files, and takes screenshots.

The investigation carried out by specialists additionally revealed matches with the Turla cluster, tracked by Mandiant under the identifier UNC4210. However, despite the potential links between the two groups, Tomiris is said to be separate from Turla due to differences in aims and methods. On the other hand, it is also highly likely that Turla and Tomiris are collaborating on separate operations, or that both parties rely on a common software provider.

“Overall, Tomiris is a very agile and determined player, open to experimentation,” the Kaspersky Lab researchers explained, adding that there is definitely some form of deliberate collaboration between Tomiris and Turla.

Source link


Please enter your comment!
Please enter your name here

Most Popular