Windows Moriya rootkit used in highly targeted attacks

Experts spotted a new malware, dubbed Moriya rootkit, that targets Windows systems as part of cyberespionage campaign dubbed TunnelSnake.

An unclassified threat actor employed a new stealthy malware, dubbed Moriya rootkit, to compromise Windows systems. Kaspersky experts who uncovered the threat speculate the attacks are likely part of an ongoing espionage campaign dubbed TunnelSnake that has been active since at least 2018.

Multiple samples of the rootkit were first spotted on networks of regional diplomatic organizations in Asia and Africa between October 2019 and May 2020. Other samples of the malware were involved in an attack against an organization in South Asia, where the attackers deployed a broad toolset for lateral movement (including China Chopper, BOUNCER, Termite, and Earthworm) along with the rootkit. One of the tools employed in the attack was formerly used by APT1, experts estimated that the threat actor first compromised the target network in early 2018.

According to Kaspersky, the malware was used in highly targeted attacks against less than 10 entities.

The Moriya rootkit is a passive backdoor that allows attackers to spy on their victims’ network traffic and send commands to compromised hosts.

“The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions.” reads the analysis published by Kaspersky. “Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints.”

Moriya rootkit allows attackers to analyze incoming network traffic directly from the Windows kernel’s address space.

Moriya filtering engine intercepts TCP packets sent over IPv4 from a remote address and inspects them using a function that checks if its first six bytes correspond to the previously registered magic value, and if so, copies the packet contents into a special buffer that can be later accessed by the user mode agent. Only matching packets will be blocked in order to hide their presence from the system, while any other packet is permitted to be processed as intended by the network stack.

“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations.” concludes the report.

“Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions.”

Additional technical details on the Moriya rootkit, including indicators of compromise associated with the attacks are available in Kaspersky’s report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Tunnelsnake)

[adrotate banner=”5″]

[adrotate banner=”13″]