TunnelSnake: Moriya rootkit attack campaign discovered

It's called TunnelSnake and it's a cyber attack operation that uses a never-before-seen rootkit, called Moriya . It was identified by researchers from Kaspersky , a globally known cybersecurity company. The malware has attacked the networks of diplomatic organizations in Asia and Africa, and has been reported to have been operational since October 2019. The attackers' goal was likely to spy on organizations, sniff network traffic and monitor infrastructure for several months. .

Tunnelsnake and the Moriya rootkit: the operation

The attack discovered by the security researchers was classified as APT – Advanced Persistent Threat . It is, as the name implies, a type of targeted and persistent attack, aimed at damaging a specific target. Generally the attackers are groups or companies with great technical knowledge and resources suitable for perpetrating the offensive. APT targets are also characteristic: given the nature of the attacks, the targets are mostly high-profile organizations, such as large corporations, states or diplomatic corporations . The aim is generally to collect top secret information and industrial / military secrets.

In the case of TunnelSnake (this is the name given to the operation) the victims were various diplomatic organizations from Africa and Asia. After receiving alerts about a unique rootkit in the target networks, Kaspersky spotted the malware, naming it Moriya . It is a passive backdoor, capable of sniffing network traffic directed to the infected machine and filtering packets instead. The fact that the rootkit is not the first to initiate communication with the C&C (Command & Control) server but waits for packets with instructions to arrive (making it passive ) eliminates the need to enter the attacker's server address in the binary files of the backdoor, protecting hackers from being tracked.

The architecture of the Moriya rootkit. Source: SecureList
The architecture of the Moriya rootkit. Source: SecureList

By inspecting network traffic and filtering packets with malicious commands, Moriya evades the operating system's network stack checks . The rootkit consists of two main components: a User Mode Agent and a Kernel Mode Driver. The first takes care of deploying the kernel component, reading commands sent by the server and responding to received packets. The second, on the other hand, uses the Windows Filtering Platform to filter packets in transit, process them and make them available to the User Mode Agent, so that it consumes them. The Kernel Mode Driver uses an ad-hoc filtering engine to identify the packets intended for it . The China Chopper Webshell was used to infect the first machines, commonly used by Chinese hacking groups to control remote web servers.

Attackers and victims

The use of China Chopper and other tools such as Bouncer, Termite and EarthWorm supports the hypothesis that behind the attack campaign there is a Chinese group of cyber criminals. While not knowing the identity of the attackers or the organization to which they belong, Kaspersky is quite confident about the origin of the group. Attacks on the same companies targeted by TunnelSnake have already occurred in the past, always with the aim of gaining access to confidential information.

The China Chopper web shell interface. Source: FireEye
The China Chopper web shell interface. Source: FireEye

The targets hit by the attack are less than 10 , but two of these are important diplomatic organizations. At the moment Kaspersky has eliminated the rootkit from the infected machines, but the TunnelSnake operation may still be active, as well as Moriya, and capable of affecting other realities. Although the instances of Moriya have been present since the end of 2019, it is likely that the same group of attackers managed to have access to the same machines as early as 2018 , with other tools.

Just as we continue to equip ourselves to better defend ourselves from targeted attacks, threat actors also strive to change their strategy. We are seeing an increasing number of campaigns similar to that of TunnelSnake, where actors take a series of measures to stay hidden for as long as possible, and invest in their toolset making them more personalized, complex and difficult to detect. At the same time, as our discovery revealed, even the most sophisticated tools can be identified and stopped. This is a never-ending race between security vendors and threat actors, and to win it, the cybersecurity community must continue to work together.

Mark Lechtik, senior security researcher with Kaspersky's Global Research and Analysis Team

The article TunnelSnake: Moriya rootkit attack campaign discovered comes from Tech CuE | Close-up Engineering .