Tomiris

Malware updated a month ago (2024-10-08T12:01:02.488Z)

Download STIX

Preview STIX

Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a TunnusSched sample, deployed from Tomiris's Telemiris malware, was delivered to a government target in the Commonwealth of Independent States (CIS). This collaboration between Tomiris and Turla advanced their capabilities, allowing them to launch more sophisticated attacks. The Tomiris malware has been associated with various implants and downloaders, sharing a common Command & Control (C2) center. One notable example attributed to Tomiris was downloaded from mail.mfa.uz.webmails[.]info, as referenced by Cyjax. Additionally, a variant of Tomiris, internally named "SBZ", acts as a file stealer, uploading any recent files matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc.) to the C2. While Tomiris initially focused on expanding its capabilities within Russia, it has since broadened its scope to target other regions. It appears to have utilized extinct Andromeda hostnames or domains, likely hijacking them for their operations. We believe with medium-to-high confidence that both TunnusSched and KopiLuwak are being leveraged by Tomiris, marking an escalation in their cyber warfare tactics.

Description last updated: 2024-10-08T11:32:43.563Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Tunnussched is a possible alias for Tomiris. TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h	2
KOPILUWAK is a possible alias for Tomiris. KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX	2
QUIETCANARY is a possible alias for Tomiris. Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun	2
Sunshuttle is a possible alias for Tomiris. Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connect	2
Sbz is a possible alias for Tomiris. SBZ is a potent malware, also known as a filestealer, that has been identified by cybersecurity researchers. It is characterized by its ability to upload any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc.) to the Command and Control (C2) server. Its discovery was f	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Kaspersky

russian

exploitation

Implant

Russia

Exploit

Apt

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Kazuar Malware is associated with Tomiris. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and	Unspecified	2
The SUNBURST Malware is associated with Tomiris. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with Tomiris. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	5

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxylogon Vulnerability is associated with Tomiris. ProxyLogon is a significant software vulnerability that was discovered in Microsoft Exchange Server. It is part of an exploit chain, including CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability. This flaw allows attackers to bypass authentication mechanisms and impersonate u	Unspecified	2

Source Document References

Information about the Tomiris Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
InfoSecurity-magazine	a year ago	Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
MITRE	2 years ago	Tomiris backdoor and its connection to Sunshuttle and Kazuar
CERT-EU	2 years ago	後門程式
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back - GIXtools
InfoSecurity-magazine	2 years ago	Tomiris and Turla APT Groups Collaborate to Target Government Entities
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU	2 years ago	Tomoris links to APT behind SolarWinds attack put to rest
CERT-EU	2 years ago	Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
CERT-EU	2 years ago	Kaspersky enquête sur le groupe APT Tomiris qui cible des entités gouvernementales dans la CEI – Global Security Mag Online
CERT-EU	2 years ago	Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU	2 years ago	Киберпреступники Tomiris активно собирают разведданные в странах СНГ
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	2 years ago	APT trends report Q1 2023
CERT-EU	2 years ago	APT trends report Q1 2023 - GIXtools
CERT-EU	2 years ago	Rapport APT Q1 2023 : techniques avancées, nouveaux horizons et nouvelles cibles – Global Security Mag Online