Kaspersky researchers have uncovered TunnelSnake, an ongoing advanced persistent threat (APT) campaign, active since 2019, which has targeted regional diplomatic entities in Asia and Africa. The attackers deployed a previously unknown rootkit dubbed Moriya. This piece of malware, with nearly absolute power over the operating system, enabled threat actors to intercept network traffic and conceal malicious commands issued to the infected hosts. This led to the attackers secretly controlling the networks of the targeted organizations for several months.
Rootkits are malicious programs or collections of software tools, that give attackers practically unlimited and covert access to an infected computer. Rootkits are notorious for stealth and evasion due to their ability to blend into the fabric of the operating system. Thanks to measures taken by Microsoft over the years to protect systems, successful deployment and execution of a rootkit component has become a difficult task, especially in the kernel space, with most Windows rootkits now being leveraged in high profile APT attacks, such as TunnelSnake.
The investigation into the campaign started when Kaspersky received a set of alerts from its product upon detection of a unique rootkit within the targeted networks. This rootkit, which was dubbed Moriya, was particularly evasive thanks to two traits. It intercepts and inspects network packets in transit from the Windows kernel’s address space, a memory region where the operating system’s kernel resides and where typically only privileged and trusted code runs. This allowed the malware to drop the unique malicious packets delivered to it before they are processed by the operating system’s network stack.
This enabled the attackers to avoid detection by security solutions. Secondly, the rootkit did not reach out to any server to request commands, as is the case for most common backdoors, but rather received those in specially marked packets, blended in the bulk of network traffic that the malware inspected. This allowed the rootkit to avoid the need to maintain a Command and Control infrastructure, thereby hindering analysis and making the activity harder to trace.
Moriya was mostly deployed through a compromise to vulnerable web servers within the targets’ organizations. In one case, the attackers infected a server with the China Chopper webshell, a malicious code allowing remote control of the infected server. Using the access obtained with that webshell, the Moriya rootkit was deployed.
Additionally, a set of various tools – tailor-made or previously seen in use by various Chinese-speaking actors, was employed alongside the rootkit, which allowed the attackers to scan hosts in the local network, find new targets, and perform a lateral movement to spread to them and exfiltrate files.
“While we were not able to attribute the campaign to a specific actor, both targets and tools used in the APT have a connection to known Chinese-speaking groups, thereby pointing to the actor likely also being Chinese-speaking. We also found an older version of Moriya used in a stand-alone attack in 2018, which points at the actor being active since at least 2018. The targets’ profile and leveraged toolset suggest that the actor’s purpose in this campaign is espionage, though we can only partially attest to this with lack of visibility into any actual siphoned data”, comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team.
“As we continue to gear up and better defend from targeted attacks, threat actors have been responding by changing their strategy. We see more and more covert campaigns such as TunnelSnake, where actors take additional steps to remain under the radar for as long as possible, and invest in their toolsets, making them more tailored, complex and harder to detect. At the same time, as seen by our discovery, highly covert tools can also be spotted and stopped. This is an ongoing race between security vendors and threat actors, and to win it, we as cybersecurity community, need to continue to work together,” adds Mark Lechtik, senior security researcher at Kaspersky’s Global Research and Analysis Team.
Read the full report about TunnelSnake campaign on Securelist.
Detailed information on Indicators of Compromise related to this operation, including file hashes, can be accessed on the Kaspersky Threat Intelligence Portal.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.