Verticals Targeted: Government, Diplomatic Entities
Executive Summary
A Russian-speaking threat actor group dubbed Tomiris was recently observed conducting an espionage campaign targeting countries in Central Asia. The group uses a variety of tools, some of which overlap with the Russian threat actor group Venomous Bear.
Key Takeaways
The Campaign
A Russian-speaking threat actor group dubbed Tomiris was recently observed conducting an espionage campaign targeting countries in Central Asia. Securelist reported on this activity. The threat actors appear to be targeting entities with the objective of stealing internal documents from government and diplomatic entities.
Tools
Tomiris tends to use a variety of tools, including downloaders, backdoors, and stealers. They also tend to use low-sophistication “burner implants” to barrage the same targets repeatedly. Some of their tools include Telemiris, a Golang implant, SBZ filestealer, TunnusSched, Topinambour, RocketMan, Tunnus, Roopy, JLORAT, RATel, a Meterpreter loader, KopiLuwak, and Tomiris downloader. Some of these tools are described in further detail below.
Telemiris
Telemiris is a Python backdoor that uses Telegram for C2. It is a first-stage implant the threat actors use to deploy other payloads.
Roopy
Roopy is a file stealer written in Pascal. It checks the victim machine at regular intervals, uploading files of interest to the C2.
JLORAT
JLORAT is written in Rust. It is a backdoor that gathers system information, user information, and IP address. This information is sent to the C2. It also searches victim machine data for specific keywords. JLORAT can have additional modules, turning it into a file stealer dubbed JLOGRAB.
TunnusSched
TunnusSched, also known as QuietCanary, is a .NET backdoor used to gather and exfiltrate victim data. Tomiris used Telemiris to deploy TunnusSched against a government target.
KopiLuwak
KopiLuwak is a reconnaissance utility written in JavaScript. Threat actors typically use KopiLuwak for victim profiling and C2 communications.
Possible Operational Overlap
Kaspersky researchers have noted TTP overlap and possible affiliation between Tomiris and Venomous Bear, a Russia nexus state-sponsored threat actor group.
Additionally, PolySwarm researchers discovered an overlap between Tomiris and YoroTrooper. We discovered at least three samples in our data set attributed to both Tomiris and YoroTrooper. All three samples are Telemiris malware:
00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62
df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289
Fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d
Our researchers also discovered that a fourth publicly reported sample, with the hash 358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1 is also used by both Tomiris and YoroTrooper.
Based on this TTP overlap, along with known targeting of both groups, our analyst's assess with medium confidence that this indicates one of three possibilities: Either Tomiris and YoroTrooper are the same group, Tomiris, and YoroTrooper work together or are part of a larger umbrella group, or one of the groups is reusing malware created by the other group.
IOCs
PolySwarm has multiple samples associated with this campaign.
00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62
df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289
fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d
80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b
3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527
0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852
29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94
009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb
69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29
C9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4
B144229fb62799aa23537eaf0ce267b1445a182c28f4679e8f8234eeb5e603f3
E2d4d030542a44a8d4cc8b97da7b26487570dda432a736766dd2ab6d57a3b787
358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1
65da1696d36da254779a028b881a1890b0b037e7eee8ea0a9446c8bb0729c1cf
E152322530819d196fb411a0cb12cf4bcc94975b400a17b95f0fc2e28f6493e5
352f9cd4c14c1002d6c8d902cbca4e96d03a8bb243b33dd192a2260fe66091a1
98275bfe968d5998230bdf18de1be795b5ad42bd82b5ecb1405b00afba6f533d
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f Tomiris
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports