Unknown threat actors have been using a Windows rootkit to install backdoors on compromised machines for years.
According to Kaspersky’s Operation TunnelSnake campaign (active since 2018), an advanced persistent threat (APT) group with an unknown origin but suspected of being Chinese-speaking has used the rootkit to secretly take control of organizations’ networks.
Rootkits are a set of resources built to remain undetected by hiding deep in the operating system’s code.
Rootkits can range from malware that targets the kernel to firmware or memory, and they often operate with system privileges.
Moriya, a recently discovered windows rootkit, is used to install passive backdoors on public-facing servers.
The backdoors are then used to create a link with a command-and-control (C2) server controlled by threat actor, for malicious purposes.
Attackers will use the backdoor to track all incoming and outgoing traffic that passes through an infected machine and filter out packets intended for the malware.
Latest in cybersecurity: Exim Server bug(21Nails) exposes millions of mail servers
The packet inspection takes place in kernel mode using the Windows driver.
The rootkit also waits for incoming traffic to bury communication with the C2, removing the need to connect the C2 directly, which could leave a malicious footprint that protection products could detect.
According to Kaspersky, this creates a hidden channel through which attackers can send shell commands and obtain their results.
Since Moriya Windows rootkit is a passive backdoor designed to be installed on a server, it has no hardcoded C2 address and relies solely on the driver to feed it packets filtered from the machine’s overall incoming traffic.
The use of post-exploit tools previously linked to Chinese threat groups such as China Chopper, Bounder, Termite, and Earthworm supports the suspicion that the APT is Chinese-speaking.
The attacks, on the other hand, are highly targeted, with less than ten victims worldwide so far.
Host scanning, lateral network movement, and file exfiltration are all examples of malicious activities.
The APT’s victims were discovered in Asia and Africa.
According to the researchers, the “prominent” diplomatic organizations in these regions have been attacked.
Although the rootkit was discovered in October 2019 and May 2020, the team believes the APT may have been active since 2018, or even earlier, based on timestamps linked with the post-exploit of another victim in South Asia.