An unclassified threat actor employed a new stealthy malware, dubbed Moriya rootkit, to compromise Windows systems. Kaspersky experts who uncovered the threat speculate the attacks are likely part of an ongoing espionage campaign dubbed TunnelSnake that has been active since at least 2018.
Multiple samples of the rootkit were first spotted on networks of regional diplomatic organizations in Asia and Africa between October 2019 and May 2020. Other samples of the malware were involved in an attack against an organization in South Asia, where the attackers deployed a broad toolset for lateral movement (including China Chopper, BOUNCER, Termite, and Earthworm) along with the rootkit. One of the tools employed in the attack was formerly used by APT1, experts estimated that the threat actor first compromised the target network in early 2018.
According to Kaspersky, the malware was used in highly targeted attacks against less than 10 entities.
The Moriya rootkit is a passive backdoor that allows attackers to spy on their victims’ network traffic and send commands to compromised hosts.
“The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions.” reads the analysis published by Kaspersky. “Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints.”
Moriya rootkit allows attackers to analyze incoming network traffic directly from the Windows kernel’s address space.
Moriya filtering engine intercepts TCP packets sent over IPv4 from a remote address and inspects them using a function that checks if its first six bytes correspond to the previously registered magic value, and if so, copies the packet contents into a special buffer that can be later accessed by the user mode agent. Only matching packets will be blocked in order to hide their presence from the system, while any other packet is permitted to be processed as intended by the network stack.
“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations.” concludes the report.
“Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions.”
Additional technical details on the Moriya rootkit, including indicators of compromise associated with the attacks are available in Kaspersky’s report.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Operation Tunnelsnake)
[adrotate banner=”5″]
[adrotate banner=”13″]
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by…
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
This website uses cookies.