Researchers at anti-malware vendor Kaspersky are documenting a previously unknown Windows rootkit being used in the toolkit of an APT actor currently targeting diplomatic entities in Asia and Africa.
Dubbed Moriya, the rootkit provides the threat actor with the ability to intercept network traffic and hide commands sent to the infected machines, thus allowing the attackers to stay hidden within the compromised networks for months.
The rootkit is part of the toolkit used by TunnelSnake, an unknown actor that deploys backdoors onto public servers belonging to the targeted entities. Multiple other tools that show cover overlaps with the rootkit were also found.
Kaspersky discovered the rootkit on the networks of regional diplomatic organizations in Asia and Africa and says that the oldest identified instances are dated October 2019. The attacker managed to maintain persistence for several months after initially deploying the malware, with less than 10 victims identified to date.
As part of an attack on an additional victim in South Asia, various tools were deployed for lateral movement, including one previously associated with APT1. Kaspersky’s security researchers believe that the attackers had access to the network since 2018.
To remain under the radar, the Moriya rootkit inspects network packets in kernel mode, drops packets of interest before they could be observed, and does not initiate a server connection, but waits for incoming traffic instead. Persistence is achieved through the creation of a service named Network Services Manager.
“This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs,” Kaspersky explains.
Moriya features a user mode component responsible for the deployment of the kernel mode component (the VirtualBox driver (VBoxDrv.sys) is abused to bypass Driver Signature Enforcement and load the unsigned driver) and for finding and reading commands sent from the C&C server through the covert communication channel. The rootkit can also establish a reverse shell session.
The rootkit’s driver component leverages the Windows Filtering Platform (WFP) to create a covert channel to the C&C and uses a filtering engine to grab the distinct Moriya-related traffic.
According to Kaspersky, the attackers likely exploit vulnerable web servers within target organizations for initial access, after which they deploy other tools (such as the China Chopper webshell) for network discovery and further payload delivery. Most of the tools are custom and tailored for the intended victims, but open-source malware used by Chinese threat actors was also used in attacks.
Kaspersky says that Moriya is the successor of IISSpy, a rootkit observed in 2018 in attacks unrelated to the TunnelSnake campaign. Furthermore, the researchers found a connection with the developers of the ProcessKiller malware, which is used to shut down antivirus products.
While they did not attribute the attacks to a specific adversary, Kaspersky’s researchers say that a Chinese-speaking threat actor is likely behind the campaign. The targeting is in line to that of Chinese groups and the employed tools also support the hypothesis.
“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth,” Kaspersky concludes.