Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Diplomatic Entities Targeted with New ‘Moriya’ Windows Rootkit

Researchers at anti-malware vendor Kaspersky are documenting a previously unknown Windows rootkit being used in the toolkit of an APT actor currently targeting diplomatic entities in Asia and Africa.

Researchers at anti-malware vendor Kaspersky are documenting a previously unknown Windows rootkit being used in the toolkit of an APT actor currently targeting diplomatic entities in Asia and Africa.

Dubbed Moriya, the rootkit provides the threat actor with the ability to intercept network traffic and hide commands sent to the infected machines, thus allowing the attackers to stay hidden within the compromised networks for months.

The rootkit is part of the toolkit used by TunnelSnake, an unknown actor that deploys backdoors onto public servers belonging to the targeted entities. Multiple other tools that show cover overlaps with the rootkit were also found.

Kaspersky discovered the rootkit on the networks of regional diplomatic organizations in Asia and Africa and says that the oldest identified instances are dated October 2019. The attacker managed to maintain persistence for several months after initially deploying the malware, with less than 10 victims identified to date.

[RELATED: Google: APT Group Burned 11 Zero-Days in Spying Operation ]

As part of an attack on an additional victim in South Asia, various tools were deployed for lateral movement, including one previously associated with APT1. Kaspersky’s security researchers believe that the attackers had access to the network since 2018.

To remain under the radar, the Moriya rootkit inspects network packets in kernel mode, drops packets of interest before they could be observed, and does not initiate a server connection, but waits for incoming traffic instead. Persistence is achieved through the creation of a service named Network Services Manager.

“This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs,” Kaspersky explains.

Moriya features a user mode component responsible for the deployment of the kernel mode component (the VirtualBox driver (VBoxDrv.sys) is abused to bypass Driver Signature Enforcement and load the unsigned driver) and for finding and reading commands sent from the C&C server through the covert communication channel. The rootkit can also establish a reverse shell session.

The rootkit’s driver component leverages the Windows Filtering Platform (WFP) to create a covert channel to the C&C and uses a filtering engine to grab the distinct Moriya-related traffic.

According to Kaspersky, the attackers likely exploit vulnerable web servers within target organizations for initial access, after which they deploy other tools (such as the China Chopper webshell) for network discovery and further payload delivery. Most of the tools are custom and tailored for the intended victims, but open-source malware used by Chinese threat actors was also used in attacks.

Kaspersky says that Moriya is the successor of IISSpy, a rootkit observed in 2018 in attacks unrelated to the TunnelSnake campaign. Furthermore, the researchers found a connection with the developers of the ProcessKiller malware, which is used to shut down antivirus products.

While they did not attribute the attacks to a specific adversary, Kaspersky’s researchers say that a Chinese-speaking threat actor is likely behind the campaign. The targeting is in line to that of Chinese groups and the employed tools also support the hypothesis.

“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth,” Kaspersky concludes.

Related: Researchers Detail Operations of SilverFish Espionage Group

Related: Old Iranian Spying Operation Resumes After Long Break

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.