New Moriya Rootkit Being Used in The Wild
An Unknown Threat Actor Is Using a New Stealthy Rootkit to Backdoor Windows Systems.
It looks like an unknown threat actor had used a new and seemingly stealthy rootkit in order to backdoor target Windows systems. The attack looks very similar to the ongoing espionage campaign called TunnelSnake going back to at least 2018.
What are Rootkits?
Rootkits are malicious tools designed to evade detection. They are able to bury themselves deep into the operating system, therefore they can be used by attackers in order to fully take over infected systems whilst avoid being caught.
The Moriya malware has previously been unknown until researchers from Kaspersky have discovered it in the wild.
Moriya is used to enable attackers to spy on their victims’ network traffic and send commands to compromised hosts, whilst not being detectable.
Moriya allowed TunnelSnake operators to capture and analyze incoming network traffic “from the Windows kernel’s address space, a memory region where the operating system’s kernel resides and where typically only privileged and trusted code runs.”
An important aspect that needs consideration is the way in which the backdoor receives commands.
The commands are coming in the form of custom-crafted packets that are hidden within the victims’ network traffic, without having to reach out to a command-and-control server, therefore adding even more to the operation’s stealth and showing the threat actor’s focus on evading detection, according to a statement made by Mark Lechtik.
We see more and more covert campaigns such as TunnelSnake, where actors take additional steps to remain under the radar for as long as possible, and invest in their toolsets, making them more tailored, complex and harder to detect.
According to the researchers from Kaspersky, the malware was deployed on the networks of less than 10 entities in a highly targeted attack, with the threat actor making use of the backdoored systems that were belonging to the Asian and African diplomatic entities as well as to other high-profile organizations in order to gain control of their networks and maintain their persistence for months without being detected.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The attackers have also deployed additional tools like China Chopper, BOUNCER, Termite, and Earthworm, during the post-exploitation stage on the compromised systems, this action enabling them to laterally move on the network after scanning and finding new vulnerable hosts on the victims’ networks.
According to the researchers from Kaspersky, the entry point consisted of outdated IIS web servers, with a confirmed entry point being a server not patched for the vulnerability tracked as CVE-2017-7269.
The vulnerability was used by the attackers to install a web shell on the victim’s device and then use it in order to deploy Moriya.
Who Could Be Behind the Attack?
At this time the campaign was not attributed to a specific threat actor, but the tactics, techniques, and procedures (TTP) used in the attacks are suggesting that the attackers are likely Chinese-speaking.
We also found an older version of Moriya used in a stand-alone attack in 2018, which points to the actor being active since at least 2018.
The targets’ profile and leveraged toolset suggest that the actor’s purpose in this campaign is espionage, though we can only partially attest to this with a lack of visibility into any actual siphoned data.