A Windows rootkit has been employed by unknown threat actors for years to stealthily install backdoors on vulnerable machines.
In a campaign by Kaspersky, named Operation TunnelSnake, the researchers said that an advanced persistent threat (APT) group, origin unknown but suspected of being Chinese-speaking, has used the rootkit to quietly take control of networks belonging to organizations.
Rootkits are packages of tools designed to stay under the radar by hiding themselves in deep levels of system code. Rootkits can range from malware designed to attack the kernel to firmware, or memory, and will often operate with high levels of privilege.
The newly-discovered rootkit, named Moriya, is used to deploy passive backdoors on public-facing servers. The backdoors are then used to establish a connection with a command-and-control (C2) server controlled by the threat actors for malicious purposes.
The backdoor allows attackers to monitor all incoming and outgoing traffic, that passes through an infected machine and filter out packets sent for the malware.
The packet inspection occurs in kernel mode with the help of a Windows driver. The rootkit also waits for incoming traffic to bury communication with the C2 and eliminate the need to reach out directly to the C2, which would potentially leave a malicious footprint that could be detected by security products.
According to Kaspersky, this forms a covert channel over which attackers are able to issue shell commands and receive back their outputs. As Moriya is a passive backdoor intended to be deployed on a server accessible from the internet, it contains no hardcoded C2 address and relies solely on the driver to provide it with packets filtered from the machine’s overall incoming traffic.
The APT is suspected to be Chinese-speaking, supported by the use of post-exploit tools previously linked to Chinese threat groups including China Chopper, Bounder, Termite, and Earthworm. Malicious activities include host scanning, lateral movement across networks, and file exfiltration.
The victims of the APT were found in Asia and Africa. As per the researchers, “prominent” diplomatic organizations in these regions have been targeted. While the rootkit was detected in October 2019 and May 2020, the team suspects that based on timestamps related to the post-exploit of another victim in South Asia, the APT may have been in operation since 2018, or earlier.
However, the attacks are extremely focused and has affected less than 10 victims worldwide so far.