Ancient Moonlight Maze backdoor remerges as modern APT

Businesses worldwide are at risk of attack by an elderly APT twisted for modern purposes.
Written by Charlie Osborne, Contributing Writer
(Image: ZDNet)

Researchers have discovered an ancient APT used to target the Pentagon decades ago is now being utilized by modern cyberattackers.

On Monday, at the Kaspersky Security Analyst Summit in St. Maarten, researchers from Kaspersky and Kings College London said that Moonlight Maze, which sent fear shooting through the hearts of US agencies over two decades ago, is still finding relevance in modern-day attacks.

The advanced persistent threat (APT), known for targeted attacks against the Pentagon, NASA, and other prominent US agencies and bodies in the 1990s, was kept under wraps following additional security breaches at American universities, the Department of Energy and US military and government networks.

At the time, a classified investigation into Moonlight Maze took place and once concluded, US officials destroyed evidence pertaining to the APT -- which was also codenamed Storm Cloud and Maker's Mark and mentioned in the Snowden leaks -- in 2008.

However, Kaspersky and Kings College London researchers have now been able to retrace the steps of the past and have found threads of commonality between the attack tools used by Moonlight Maze operators and modern threat actors.

Kaspersky Lab researchers Juan Andres Guerrero-Saade and Costin Raiu, together with Kings College London's Thomas Rid and Danny Moore, analyzed samples, logs, and artifacts belonging to the old APT code to make the connection, thanks to the efforts of a retired IT administrator.

The IT admin came across a compromised server back in 1998, which was originally used as a relay point and proxy for Moonlight Maze to connect with victim systems. While the proxy disguised the APT's tracks, the server was turned against the threat actors and was later used as a means to spy on the malware's operators.

The victim logs, roughly 45 binaries that comprised most of the attacker's toolkit, and server information was then given to Kaspersky, which Guerrero-Saade called a "time capsule" that contained a forensic treasure trove of the old code.

This cache, combined with interviews of roughly 40 individuals connected with the original US law enforcement investigation, allowed the research team to investigate Moonlight Maze and look for any forensic, hard evidence that would connect the ancient APT with a modern attack group called Turla.

Moonlight Maze is an open-source Unix-based attack that targeted Solaris systems and makes use of a backdoor based on software released in 1996, LOKI2. According to Kaspersky, samples taken from Turla campaigns in 2014, dubbed Penguin Turla, are also based on LOKI2.

(Image: Kaspersky)

After a nine-month investigation in 2016, the researchers discovered that the "massive" Moonlight Maze campaign's code base, including the Linux-based backdoor used in 1998 to tunnel information out of victim networks, was indeed connected to the modern-day Turla APT and attacks in 2011 against a defense contractor in Switzerland.

In March, Kaspersky found fresh samples of Penguin Turla used to create a backdoor into a German target's systems, suggesting the old code has been used as recently as this year.

"Further, the re-analysis showed that all of them use code created between 1999 and 2004," Kaspersky said. "Remarkably, this code is still being used in attacks."

The code's engine has received very little modification, and yet, is still being used by cyberattackers today.

There is, however, clear progression between Moonlight Maze and Penguin Turla, of which elements of the code and attacks appear to point toward Russian threat actors, and the age of the attack places the APT next to the Equation Group in terms of longevity.

Kaspersky says that some of Equation Group's command-and-control (C&C) servers date back to 1996, and Moonlight Maze emerged from the shadows in the same year.

There is only a total of seven samples of Penguin Turla, all of which were uploaded to VirusTotal this year after the German attack. The samples are rare, as malware operators use the code "very selectively," according to Guerrero-Saade -- and only when cyberattackers have been booted out of a network and they want to try and regain access.

While the evidence connects Moonlight Maze and Turla, it may also be that Turla relies on this ancient code for attacks that are harder to infect through the group's standard Windows toolkit.

"In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyberespionage campaign," said Guerrero-Saade. "We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks."

Speaking to ZDNet, Guerrero-Saade said that the functionality of the original Moonlight Maze code has been improved, but it is "unbelievable" that an attack method which is publicly known and was developed roughly 20 years ago is still in use today.

The security expert believes the reason why the LOKI2-based backdoor is still able to tunnel into modern-day Linux versions is that "most Linux administrators do not take endpoint security seriously."

"I would struggle to find a 20-year-old Windows tool which would still work [in attacks]," Guerrero-Saade commented. "But there is a 20-year-old Linux tool which can still floor Linux administrators."

According to the researcher, the majority of Linux administrators rely on the separation of unprivileged users and root accounts, rather than endpoint security solutions.

There is no patch for the problem, as the backdoor is not a vulnerability per se, but the best way to protect against Turla -- which still uses the ancient code -- is to consider protecting network endpoints.

Disclosure: The trip to St. Maarten was sponsored by Kaspersky.

VIDEO: Russia's Fancy Bear hackers steal athletes' medical records again

10 things you didn't know about the Dark Web

Editorial standards