S0671 Tomiris
Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.1
| Item | Value |
|---|---|
| ID | S0671 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 December 2021 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Tomiris can use HTTP to establish C2 communications.1 |
| enterprise | T1005 | Data from Local System | Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.1 |
| enterprise | T1568 | Dynamic Resolution | Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.1 |
| enterprise | T1105 | Ingress Tool Transfer | Tomiris can download files and execute them on a victim’s system.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Tomiris has been packed with UPX.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Tomiris has used SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00 to establish persistence.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.1 |