Unknown attackers have been quietly employing a Windows rootkit, named Moriya, to install passive backdoors on vulnerable machines. In a campaign dubbed Operation TunnelSnake by Kaspersky, an APT group with unknown origins but suspected of being Chinese targets networks belonging to organizations in South Asia and Africa.
Rootkits are tools that enable access to a computer that is not otherwise allowed and often hide deep in system code.
Kaspersky cybersecurity team says it discovered a new rootkit it named Moriya that attackers use to deploy passive backdoors on public-facing servers. The backdoors connect with a command-and-control (C2) server controlled by the threat actors and receive commands.
The backdoor allows attackers to inspect all incoming and outgoing traffic that passes through an infected machine and receive and send packets for the malware undetected. The attackers achieve packet inspection with the help of a Windows driver and perform it in kernel mode. This allows attackers to avoid reaching out directly to the C2 which has higher chances to be detected by security software.
“This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs,” Kaspersky says. “Since Moriya is a passive backdoor intended to be deployed on a server accessible from the internet, it contains no hardcoded C2 address and relies solely on the driver to provide it with packets filtered from the machine’s overall incoming traffic.”
Kaspersky suspects the operators of this malware are Chinese-speaking basing their opinion on post-exploit tools linked to Chinese threat groups which include China Chopper, Bounder, Earthworm, and Termite. Also, they targeted victims in Asia and Africa, among them “prominent” diplomatic organizations in these regions.
Malware can perform a range of malicious activities like lateral movement across networks, host scanning, and file exfiltration.
The team thinks the APT may have been in operation at least since 2018. Additionally, Kaspersky says the attackers are very focused having targeted fewer than 10 victims globally as recorded by Kaspersky.