Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[1]

ID: S0671
Contributors: Craig Smith, BT Security
Version: 1.0
Created: 29 December 2021
Last Modified: 15 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Tomiris can use HTTP to establish C2 communications.[1]

Enterprise T1005 Data from Local System

Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.[1]

Enterprise T1568 Dynamic Resolution

Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[1]

Enterprise T1105 Ingress Tool Transfer

Tomiris can download files and execute them on a victim's system.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Tomiris has been packed with UPX.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Tomiris has used SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00 to establish persistence.[1]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.[1]