The Advanced Persistent Group (APT) known as Tomiris has been observed deploying KopiLuwak and TunnusSched malware, attack tools previously associated with another APT group named Turla.
Kaspersky security experts shared their findings in an advisory released today analyzing the latest Tomiris campaign in Central Asia.
Kaspersky senior security researchers Pierre Delcher and Ivan Kwiatkowski wrote:
“Threat actors are targeting CIS government and diplomatic agencies. [Commonwealth of Independent States]Occasionally, victims found in other regions (such as the Middle East and Southeast Asia) turn out to be foreign representatives of CIS countries, demonstrating the narrow focus of Tomiris. ”
Kaspersky notes that the observed attacks consisted of several unsophisticated ” “Burner” implant, he added. Tomiris has also relied on his RATs, commercial or open source.
Attack vectors included spear-phishing emails with malicious content attached, including password-protected archives, malicious documents, and weaponized LNKs. Tomiris also used DNS hijacking, exploiting vulnerabilities (especially ProxyLogon), and allegedly drive-by his downloads.
For more information on ProxyLogon, Tick APT Group Hacks East Asian DLP Software Company
Delcher and Kwiatkowski highlighted that language artifacts found in Tomiris’ family of implants and various campaign infrastructure indicate that the APT speaks Russian.
“Although there may be a connection between the two groups, we believe that Turla and Tomiris are separate actors,” Kaspersky explained.
“blood [like Turla] is undoubtedly Russian-speaking, but its targeting and trading are very different from those observed in Turla. Additionally, Tomiris’ general approach to infiltration and limited interest in stealth differ significantly from the documented Tulla commerce. ”
Still, the shared deployment of the KopiLuwak and TunnusSched malware tools indicates that more actors have access to them.
“Tactics and malware samples look only so far, often reminding us of organizational and political constraints on the attackers,” the advisory reads. increase. “This research demonstrates the limits of technical attribution that can only be overcome through information sharing.”
Kaspersky’s recommendations come months after the Russian government banned several foreign messaging apps.
