Tomiris
Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1005 | Data from Local System |
Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.[1] |
|
| Enterprise | T1568 | Dynamic Resolution |
Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.[1] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Tomiris can download files and execute them on a victim's system.[1] |
|
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing | |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Tomiris has used |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.[1] |