New Moriya rootkit stealthily backdoors Windows systems

Unknown attackers may have been quietly exploiting networks in attacks reaching back to 2018.
Written by Charlie Osborne, Contributing Writer

Unknown threat actors have been employing a Windows rootkit for years to stealthily install backdoors on vulnerable machines.

In a campaign dubbed Operation TunnelSnake by Kaspersky researchers, the team said on Thursday that an advanced persistent threat (APT) group, origin unknown but suspected of being Chinese-speaking, has used the rootkit to quietly take control of networks belonging to organizations. 

Rootkits are packages of tools that are designed to stay under the radar by hiding themselves in deep levels of system code. Rootkits can range from malware designed to attack the kernel to firmware, or memory, and will often operate with high levels of privilege. 

According to Kaspersky, the newly-discovered rootkit, named Moriya, is used to deploy passive backdoors on public-facing servers. The backdoors are then used to establish a connection -- quietly -- with a command-and-control (C2) server controlled by the threat actors for malicious purposes. 

The backdoor allows attackers to monitor all traffic, incoming and outgoing, that passes through an infected machine and filter out packets sent for the malware. 

The packet inspection occurs in kernel mode with the help of a Windows driver. The rootkit also waits for incoming traffic in order to bury communication with the C2 and eradicate the need to reach out directly to the C2, which would potentially leave a malicious footprint that could be detected by security products. 

"This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs," Kaspersky says. "Since Moriya is a passive backdoor intended to be deployed on a server accessible from the internet, it contains no hardcoded C2 address and relies solely on the driver to provide it with packets filtered from the machine's overall incoming traffic."

Kaspersky suspects the APT is Chinese-speaking, supported by the use of post-exploit tools previously linked to Chinese threat groups including China Chopper, Bounder, Termite, and Earthworm. Malicious activities include host scanning, lateral movement across networks, and file exfiltration. 

Victims of the APT have been found in Asia and Africa. The researchers say that "prominent" diplomatic organizations in these regions have been targeted. While the rootkit was detected in October 2019 and May 2020, the team suspects that based on timestamps related to the post-exploit of another victim in South Asia, the APT may have been in operation since 2018, or earlier. 

However, it appears that attacks are extremely focused -- with less than 10 victims worldwide recorded by Kaspersky telemetry. At least, so far. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards