10 May 2021

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems


TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

An unknown threat actor deployed a previously undocumented rootkit designed to secretly control networks of target organizations in what appears to be a cyber-espionage campaign going back to at least 2018.

The rootkit dubbed ‘Moriya’ by researchers at Kaspersky was discovered while investigating the TunnelSnake campaign that targeted several prominent organizations in Asia and Africa. Moriya is a passive backdoor which allows bad actors to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them, and send commands to infected machines, Kaspersky says.

“The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints,” according to the report.

In addition to Moriya, the TunnelSnake operators deployed several tools, such as China Chopper, BOUNCER, Termite, and Earthworm (previously attributed to well-known Chinese-speaking threat actors), during the post-exploitation stage on the compromised systems.

As for the victims of the campaign, Kaspersky’s telemetry showed that the attacks were highly targeted and delivered to less than 10 victims around the world, with the most prominent victims being two large regional diplomatic organizations in South-East Asia and Africa. All the others were victims in South Asia.

The researchers said they have not been able to attribute the TunnelSnake operation to any particular threat actor, but based on the TTPs used throughout the campaign they believe that a Chinese APT was behind it.

“Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions,” Kaspersky concluded.

Back to the list

Latest Posts

US nuclear weapons contractor Sol Oriens falls victim to REvil ransomware gang

US nuclear weapons contractor Sol Oriens falls victim to REvil ransomware gang

The company said that it became aware of the cyberattack in May and that it is working "to determine the scope of potential data that may have been involved."
16 June 2021
Suspected Chinese hack affected Verizon, Southern California's water supplier

Suspected Chinese hack affected Verizon, Southern California's water supplier

The breach was part of the cyber-espionage campaign involving Pulse Connect Secure networking devices that came to light in April.
16 June 2021
Paradise ransomware source code leaked on XSS hacker forum

Paradise ransomware source code leaked on XSS hacker forum

The analysis of the source code revealed it contained Russian comments, giving an inkling of the origin of a developer behind the ransomware.
16 June 2021