An unknown threat actor deployed a previously undocumented rootkit designed to secretly control networks of target organizations in what appears to be a cyber-espionage campaign going back to at least 2018.
The rootkit dubbed ‘Moriya’ by researchers at Kaspersky was discovered while investigating the TunnelSnake campaign that targeted several prominent organizations in Asia and Africa. Moriya is a passive backdoor which allows bad actors to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them, and send commands to infected machines, Kaspersky says.
“The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints,” according to the report.
In addition to Moriya, the TunnelSnake operators deployed several tools, such as China Chopper, BOUNCER, Termite, and Earthworm (previously attributed to well-known Chinese-speaking threat actors), during the post-exploitation stage on the compromised systems.
As for the victims of the campaign, Kaspersky’s telemetry showed that the attacks were highly targeted and delivered to less than 10 victims around the world, with the most prominent victims being two large regional diplomatic organizations in South-East Asia and Africa. All the others were victims in South Asia.
The researchers said they have not been able to attribute the TunnelSnake operation to any particular threat actor, but based on the TTPs used throughout the campaign they believe that a Chinese APT was behind it.
“Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions,” Kaspersky concluded.