The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Tomiris Targets Central Asia in Espionage Campaign

May 5, 2023 2:00:47 PM / by The Hivemind

TomirisRelated Families: Telemiris, TunnusSched, Roopy, JLORAT, KopiLuwak
Verticals Targeted: Government, Diplomatic Entities

Executive Summary

A Russian-speaking threat actor group dubbed Tomiris was recently observed conducting an espionage campaign targeting countries in Central Asia. The group uses a variety of tools, some of which overlap with the Russian threat actor group Venomous Bear.

Key Takeaways

  • A Russian-speaking threat actor group dubbed Tomiris was recently observed conducting an espionage campaign targeting countries in Central Asia. 
  • Tomiris tends to use a variety of tools, including downloaders, backdoors, and stealers.
  • Some of the tools used by Tomiris include Telemiris, Roopy, JLORAT, TunnusSched, and KopiLuwak.
  • Tomiris may have operational overlap with Venomous Bear and/or YoroTrooper. 

The Campaign

A Russian-speaking threat actor group dubbed Tomiris was recently observed conducting an espionage campaign targeting countries in Central Asia. Securelist reported on this activity.  The threat actors appear to be targeting entities with the objective of stealing internal documents from government and diplomatic entities.

Tools

Tomiris tends to use a variety of tools, including downloaders, backdoors, and stealers. They also tend to use low-sophistication “burner implants” to barrage the same targets repeatedly. Some of their tools include Telemiris, a Golang implant, SBZ filestealer, TunnusSched, Topinambour, RocketMan, Tunnus, Roopy, JLORAT, RATel, a Meterpreter loader, KopiLuwak, and Tomiris downloader. Some of these tools are described in further detail below.

Telemiris

Telemiris is a Python backdoor that uses Telegram for C2. It is a first-stage implant the threat actors use to deploy other payloads.

Roopy

Roopy is a file stealer written in Pascal. It checks the victim machine at regular intervals, uploading files of interest to the C2.

JLORAT

JLORAT is written in Rust. It is a backdoor that gathers system information, user information, and IP address. This information is sent to the C2. It also searches victim machine data for specific keywords. JLORAT can have additional modules, turning it into a file stealer dubbed JLOGRAB.

TunnusSched

TunnusSched, also known as QuietCanary, is a .NET backdoor used to gather and exfiltrate victim data. Tomiris used Telemiris to deploy TunnusSched against a government target.

KopiLuwak

KopiLuwak is a reconnaissance utility written in JavaScript. Threat actors typically use KopiLuwak for victim profiling and C2 communications.

Possible Operational Overlap

Kaspersky researchers have noted TTP overlap and possible affiliation between Tomiris and Venomous Bear, a Russia nexus state-sponsored threat actor group.

Additionally, PolySwarm researchers discovered an overlap between Tomiris and YoroTrooper. We discovered at least three samples in our data set attributed to both Tomiris and YoroTrooper. All three samples are Telemiris malware:

00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62 

df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289

Fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d

Our researchers also discovered that a fourth publicly reported sample, with the hash  358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1 is also used by both Tomiris and YoroTrooper.

Based on this TTP overlap, along with known targeting of both groups, our analyst's assess with medium confidence that this indicates one of three possibilities: Either Tomiris and YoroTrooper are the same group, Tomiris, and YoroTrooper work together or are part of a larger umbrella group, or one of the groups is reusing malware created by the other group.

IOCs

PolySwarm has multiple samples associated with this campaign.

00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62 

df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289

fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d

80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b 

3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527 

0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852

29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94

009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb

69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29

C9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4

B144229fb62799aa23537eaf0ce267b1445a182c28f4679e8f8234eeb5e603f3

E2d4d030542a44a8d4cc8b97da7b26487570dda432a736766dd2ab6d57a3b787

358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1

65da1696d36da254779a028b881a1890b0b037e7eee8ea0a9446c8bb0729c1cf

E152322530819d196fb411a0cb12cf4bcc94975b400a17b95f0fc2e28f6493e5

352f9cd4c14c1002d6c8d902cbca4e96d03a8bb243b33dd192a2260fe66091a1

98275bfe968d5998230bdf18de1be795b5ad42bd82b5ecb1405b00afba6f533d

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f Tomiris

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Russia, Threat Bulletin, Kopiluwak, TunnusSched, Roopy, Tomiris, Central Asia, Telemiris, JLORAT

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts