Tomiris
Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.[1] |
|
| Enterprise | T1568 | 动态解析 |
Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.[1] |
| Enterprise | T1105 | 输入工具传输 |
Tomiris can download files and execute them on a victim's system.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Tomiris has used |