10 May 2021

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems


TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

An unknown threat actor deployed a previously undocumented rootkit designed to secretly control networks of target organizations in what appears to be a cyber-espionage campaign going back to at least 2018.

The rootkit dubbed ‘Moriya’ by researchers at Kaspersky was discovered while investigating the TunnelSnake campaign that targeted several prominent organizations in Asia and Africa. Moriya is a passive backdoor which allows bad actors to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them, and send commands to infected machines, Kaspersky says.

“The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints,” according to the report.

In addition to Moriya, the TunnelSnake operators deployed several tools, such as China Chopper, BOUNCER, Termite, and Earthworm (previously attributed to well-known Chinese-speaking threat actors), during the post-exploitation stage on the compromised systems.

As for the victims of the campaign, Kaspersky’s telemetry showed that the attacks were highly targeted and delivered to less than 10 victims around the world, with the most prominent victims being two large regional diplomatic organizations in South-East Asia and Africa. All the others were victims in South Asia.

The researchers said they have not been able to attribute the TunnelSnake operation to any particular threat actor, but based on the TTPs used throughout the campaign they believe that a Chinese APT was behind it.

“Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions,” Kaspersky concluded.

Back to the list

Latest Posts

Google fixes yet another Chrome 0Day exploited in the wild

Google fixes yet another Chrome 0Day exploited in the wild

In addition to CVE-2021-30554, Chrome 91.0.4472.114 resolves three high-risk vulnerabilities that allow a remote attacker to compromise a vulnerable system.
18 June 2021
Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

The threat actor deployed the MarkiRAT malware able to steal data and hijack the infected user’s Chrome browser and their Telegram app.
17 June 2021
DarkSide affiliates shift to software supply chain attacks

DarkSide affiliates shift to software supply chain attacks

UNC2465 compromised a website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app.
17 June 2021