Nobelium APT Brings Out the Tomiris Backdoor Trojan

Metamorfo Banking Trojan

The Tomiris Backdoor Trojan is a new threat that appears to be in use by one or more Advanced Persistent Threat (APT) groups. Although there are significant similarities between the Tomiris Backdoor Trojan and malware that the Nobelium APT has used, researchers note that other APTs might be involved as well. For example, the targets of the Tomiris Backdoor Trojan overlap with the profiles of victims that were previously targets of the Turla APT.

Recently, the Nobelium APT made the news once again after their SolarWinds attack campaign. This time, they were using the new FoggyWeb Malware. However, it seems that the Tomiris Backdoor Trojan is an entirely new project that, unlike FoggyWeb, is shared with other APTs as well. Significant portions of Tomiris' code and functions appear to be similar to those found in the GoldMax Malware, which was active in 2020.

Judging by Tomiris Backdoor Trojan's features, it is likely to come in use as a secondary payload that provides attackers with more control over the systems they infect. Just like GoldMax, this malware is also written in the Go language. This programming language has been attracting more and more attention from cybercriminals because of its great compatibility, and the fact that certain security features are still not that effective against Go programs.

The Tomiris Backdoor Trojan also gains persistence through the creation of scheduled tasks. After identifying over a 100 victims of the Tomiris Backdoor Trojan, researchers report that many of the victims had the Kazuar Backdoor active on their network as well. It is not yet clear whether this is a coincidence, or if the Nobelium and Kazuar hackers are working side by side. The activity of this backdoor Trojan can be traced back to January 2021, but its development was probably finished earlier than this.

September 30, 2021