Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Diplomatic Entities Targeted with New ‘Moriya’ Windows Rootkit

Researchers at anti-malware vendor Kaspersky are documenting a previously unknown Windows rootkit being used in the toolkit of an APT actor currently targeting diplomatic entities in Asia and Africa.

Researchers at anti-malware vendor Kaspersky are documenting a previously unknown Windows rootkit being used in the toolkit of an APT actor currently targeting diplomatic entities in Asia and Africa.

Dubbed Moriya, the rootkit provides the threat actor with the ability to intercept network traffic and hide commands sent to the infected machines, thus allowing the attackers to stay hidden within the compromised networks for months.

The rootkit is part of the toolkit used by TunnelSnake, an unknown actor that deploys backdoors onto public servers belonging to the targeted entities. Multiple other tools that show cover overlaps with the rootkit were also found.


Kaspersky discovered the rootkit on the networks of regional diplomatic organizations in Asia and Africa and says that the oldest identified instances are dated October 2019. The attacker managed to maintain persistence for several months after initially deploying the malware, with less than 10 victims identified to date.


[RELATED: Google: APT Group Burned 11 Zero-Days in Spying Operation ]


As part of an attack on an additional victim in South Asia, various tools were deployed for lateral movement, including one previously associated with APT1. Kaspersky’s security researchers believe that the attackers had access to the network since 2018.


To remain under the radar, the Moriya rootkit inspects network packets in kernel mode, drops packets of interest before they could be observed, and does not initiate a server connection, but waits for incoming traffic instead. Persistence is achieved through the creation of a service named Network Services Manager.


“This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs,” Kaspersky explains.


Moriya features a user mode component responsible for the deployment of the kernel mode component (the VirtualBox driver (VBoxDrv.sys) is abused to bypass Driver Signature Enforcement and load the unsigned driver) and for finding and reading commands sent from the C&C server through the covert communication channel. The rootkit can also establish a reverse shell session.


The rootkit’s driver component leverages the Windows Filtering Platform (WFP) to create a covert channel to the C&C and uses a filtering engine to grab the distinct Moriya-related traffic.


According to Kaspersky, the attackers likely exploit vulnerable web servers within target organizations for initial access, after which they deploy other tools (such as the China Chopper webshell) for network discovery and further payload delivery. Most of the tools are custom and tailored for the intended victims, but open-source malware used by Chinese threat actors was also used in attacks.


Kaspersky says that Moriya is the successor of IISSpy, a rootkit observed in 2018 in attacks unrelated to the TunnelSnake campaign. Furthermore, the researchers found a connection with the developers of the ProcessKiller malware, which is used to shut down antivirus products.


While they did not attribute the attacks to a specific adversary, Kaspersky’s researchers say that a Chinese-speaking threat actor is likely behind the campaign. The targeting is in line to that of Chinese groups and the employed tools also support the hypothesis.


“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth,” Kaspersky concludes.


Related: Researchers Detail Operations of SilverFish Espionage Group


Related: Old Iranian Spying Operation Resumes After Long Break

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.