10 May 2021

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems


TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

An unknown threat actor deployed a previously undocumented rootkit designed to secretly control networks of target organizations in what appears to be a cyber-espionage campaign going back to at least 2018.

The rootkit dubbed ‘Moriya’ by researchers at Kaspersky was discovered while investigating the TunnelSnake campaign that targeted several prominent organizations in Asia and Africa. Moriya is a passive backdoor which allows bad actors to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them, and send commands to infected machines, Kaspersky says.

“The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints,” according to the report.

In addition to Moriya, the TunnelSnake operators deployed several tools, such as China Chopper, BOUNCER, Termite, and Earthworm (previously attributed to well-known Chinese-speaking threat actors), during the post-exploitation stage on the compromised systems.

As for the victims of the campaign, Kaspersky’s telemetry showed that the attacks were highly targeted and delivered to less than 10 victims around the world, with the most prominent victims being two large regional diplomatic organizations in South-East Asia and Africa. All the others were victims in South Asia.

The researchers said they have not been able to attribute the TunnelSnake operation to any particular threat actor, but based on the TTPs used throughout the campaign they believe that a Chinese APT was behind it.

“Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions,” Kaspersky concluded.

Back to the list

Latest Posts

North Korean hackers target South Korean defense contractors

North Korean hackers target South Korean defense contractors

Lazarus, Kimsuky, and Andariel are believed to be behind the cyber intrusions.
23 April 2024
US imposes visa restrictions on individuals linked to commercial spyware

US imposes visa restrictions on individuals linked to commercial spyware

The announcement follows the implementation of a new policy by the US government over two months ago.
23 April 2024
Threat actor uses Signal spear-phishing to infect Ukrainian military personnel with malware

Threat actor uses Signal spear-phishing to infect Ukrainian military personnel with malware

The attack exploits a vulnerability in WinRAR software.
23 April 2024