New Moriya Rootkit Used In The Wild To Backdoor Windows Systems

An unknown threat actor used a new stealthy rootkit to backdoor targeted Windows systems what looks like an ongoing espionage campaign dubbed TunnelSnake going back to at least 2018.

Rootkits are malicious tools designed to evade detection by burying deep into the operating system and used by attackers to fully take over infected systems while avoiding detection.

The previously unknown malware, dubbed Moriya by Kaspersky researchers who discovered it in the wild, is a passive backdoor that enables attackers to covertly spy on their victims’ network traffic and send commands to compromised hosts.

Unusually evasive espionage backdoor

Moriya allowed TunnelSnake operators to capture and analyze incoming network traffic “from the Windows kernel’s address space, a memory region where the operating system’s kernel resides and where typically only privileged and trusted code runs.”

The way the backdoor received commands in the form of custom-crafted packets hidden within the victims’ network traffic, without needing to reach out to a command-and-control server, further added to the operation’s stealth showing the threat actor’s focus on evading detection.

“We see more and more covert campaigns such as TunnelSnake, where actors take additional steps to remain under the radar for as long as possible, and invest in their toolsets, making them more tailored, complex and harder to detect,” Mark Lechtik, a senior security researcher at Kaspersky’s Global Research and Analysis Team, said.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

According to Kaspersky’s telemetry, the malware was deployed on the networks of less than 10 entities in highly targeted attack.

The threat actor used backdoored systems belonging to Asian and African diplomatic entities and other high-profile organizations to gain control of their networks and maintain persistence for months without being detected.

The attackers also deployed additional tools (including China Chopper, BOUNCER, Termite, and Earthworm) during the post-exploitation stage on the compromised systems (custom-made and previously used by Chinese-speaking actors).

This enabled them to move laterally on the network after scanning for and finding new vulnerable hosts on the victims’ networks.

All evidence points to Chinese-speaking threat actors

Although Kaspersky researchers weren’t able to attribute the campaign to a specific threat actor, the Tactics, techniques and procedures (TTPs) used in the attacks and the entities targeted suggest that the attackers are likely Chinese-speaking.

“We also found an older version of Moriya used in a stand-alone attack in 2018, which points to the actor being active since at least 2018,” Giampaolo Dedola, a senior security researcher at Kaspersky’s Global Research and Analysis Team, added.

“The targets’ profile and leveraged toolset suggest that the actor’s purpose in this campaign is espionage, though we can only partially attest to this with lack of visibility into any actual siphoned data.”

Further technical details on the Moriya rootkit and indicators of compromise associated with the TunnelSnake campaign can be found in Kaspersky’s report.

In October, Kaspersky also found the second-ever UEFI rootkit used in the wild (known as MosaicRegressor) while investigating attacks from 2019 against two non-governmental organizations (NGOs).

Also Read: Data Protection Officer Singapore | 10 FAQs

The previous UEFI bootkit used in the wild is known as LoJax and was discovered by ESET in 2018 while being injected by the Russian-backed APT28 hacking group within the legit LoJack anti-theft software.