A sophisticated threat actor has been exploiting an evasive Windows rootkit to infiltrate high-profile organizations in Asia and Africa, with activity detected since at least 2018. This malware, dubbed ‘Moriya’, operates as a passive backdoor, allowing attackers to monitor incoming traffic on infected systems and selectively respond to packets intended for the malware.
Kaspersky researchers, Mark Lechtik and Giampaolo Dedola, detailed this ongoing espionage campaign, identified as ‘TunnelSnake’. Their analysis indicates that fewer than ten organizations globally have been targeted, with notable victims including large diplomatic entities in Southeast Asia and Africa, while most other targets are located in South Asia.
The first indications of Moriya came to light last November, when Kaspersky reported its discovery of this stealthy implant within networks of regional inter-governmental organizations. Malicious activities related to this operation appear to have originated as early as November 2019, with the rootkit remaining embedded in victim networks for extended periods following the initial breach.
This malware has been utilized to manage publicly accessible servers within the targeted organizations by establishing covert channels with command-and-control (C2) servers, facilitating the execution of shell commands and returning their outputs. Such capabilities were made possible through a Windows kernel mode driver, a fact emphasized in Kaspersky’s APT trends report for Q3 2020.
Rootkits, by design, pose substantial risks as they grant attackers elevated privileges within a system, allowing them to intercept essential input/output operations handled by the operating system, camouflaging their presence to evade detection. Microsoft has introduced numerous defensive measures aimed at thwarting the execution of such rootkits, rendering Moriya’s evasion capabilities even more significant.
The toolkit associated with this campaign, beyond the backdoor functionality, also includes various malware recognized in the cyber threat landscape, such as China Chopper web shell and BOUNCER, historically tied to Chinese-speaking threat actors. This association raises suspicions about the actor’s possible origins while the tactics implemented echo the patterns typically observed within this adversarial domain.
As advanced persistent threats (APTs) continue to evolve, they are increasingly targeting sensitive data while remaining concealed within their victims’ networks for extended durations, enhancing their tactics to become more intricate and insidious. The TunnelSnake campaign illustrates the actions of a highly capable actor utilizing significant resources to construct an evasive toolset, infiltrating prominent organizations with advanced techniques that leverage Windows drivers, clandestine communication methods, and proprietary malware.
