Researchers have uncovered what they call a highly-evasive Windows rootkit, being utilized by cybercriminals in a targeted campaign to infiltrate the networks of high-profile organizations since at least 2018.
The rootkit, which researchers with Kaspersky in a new report call Moriya (due to string artifacts within the malware’s binaries) has been utilized by an unknown actor to deploy backdoors on public-facing servers. Less than 10 victims have been targeted so far in the campaign, which researchers call TunnelSnake, including two large regional diplomatic organizations in Asia and Africa.
The rootkit, which allows attackers to snoop in on victim network traffic, is unique in that it maintains “a considerable amount of stealth,” said researchers, including its leveraging of Windows drivers, covert communications channels and proprietary malware.
“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations,” said Mark Lechtik, senior security researcher with Kaspersky, on Thursday.
Researchers believe that attackers first infect victims with Moriya through targeting vulnerable web servers in victims’ networks. In one incident, for instance, attackers used the China Chopper webshell to infect an organization’s mail server. They then leveraged that infection to map the victim’s network and deploy other tools in it, including the rootkit. Once downloaded, Moriya acts as a backdoor that enables attackers to inspect all incoming traffic to the victim’s system, filter out packets that are marked as designated for the malware and respond to them - ultimately providing attackers with a covert channel to issue shell commands and receive back their outputs.
Researchers also observed a set of post-exploitation tools with an array of functionalities on a target in South Asia that they assessed could be in use by the same attacker. These include network discovery capabilities - used to scan the internal network in order to detect further vulnerable services - through an HTTP scanner command-line tool and a DCOM scanner command-line utility. Also discovered were two versions of a malware called Bouncer - previously identified by FireEye Mandiant in 2013 - in order to spread to other hosts in targeted networks. The malware acts as a backdoor, providing features that can be used to control a remote host and achieve lateral movement.
Finally, several multi-platform utilities were used to establish connections with remote hosts and exfiltrate data, including two known ones called Earthworm, which creates tunnels between compromised hosts in order to transfer data, and Termite, which provides additional tools in order to download and upload files between compromised hosts. Researchers also detected another tool, called Tran, under the filename "tmp," which is utilized to transfer data between compromised hosts.
Moriya itself has two traits that make it particularly evasive, said researchers. First, the attackers can inspect all packets in the privileged kernel mode with the use of a Windows driver. This allows them to drop the packets of interest before they are actually processed by the network stack - meaning that they are not detected by security solutions. The rootkit also waits for incoming traffic, rather than initiating a connection to the command-and-control (C2) server itself. On the attacker’s end, this means there is no need to incorporate a C2 address in the malware’s binary or maintain a steady C2 infrastructure - making it more difficult to trace the attacker’s footprints, said researchers.
That said, researchers were still able to detect the campaign due to its utilization of the commodity China Chopper webshell and use of open-source legacy code, named DSEFIX v1.0, to map the unsigned driver to kernel memory space and execute it from its entry point.
"While rootkits are not as common nowadays as they were in the past, they still represent a class of highly powerful malware implants that are in use by a handful of APT actors."
While researchers did not attribute the attack to a known threat actor, they said based on the tactics, techniques and procedures (TTPs) used in the campaign they “suppose” that the cybercriminals are Chinese-speaking. Several clues point to this conclusion, including the fact that the targeted entities in the campaign were previously attacked by Chinese-speaking actors, and that some of the tools utilized by attackers - including China Chopper - have previously been used in campaigns attributed to well-known Chinese-speaking threat groups, they said.
Lechtik said the campaign ceased the usage of the tools described in the research as soon as they were detected. However, he warned that with the campaign's activity dating back to at least 2018, the threat actor is likely able to evolve and tailor its toolset to target environments.
“This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions,” he said.
While rootkits - which typically allow attackers to intercept core I/O operations conducted by the underlying operating system - give cybercriminals high privileges in the system, overall, researchers pointed to the number of Windows rootkits in the wild decreasing dramatically. This is due to Microsoft’s implementation of several protections, such as Driver Signature Enforcement, which makes it more difficult to load and run new code in kernel space, as well as Kernel Patch Protection, which protects code in the Windows kernel from being modified by unknown software or data.
That said, the abilities of these rootkits to camouflage into the fabric of the operating system give attackers a high level of stealth, and the majority of still-active Windows rootkits are being used by high-profile advanced persistent threat (APT) attacks, researchers noted.
“While rootkits are not as common nowadays as they were in the past, they still represent a class of highly powerful malware implants that are in use by a handful of APT actors,” said Lechtik. “In that sense, we don't expect a wide deployment of them in systems worldwide, but for the few advanced groups that are capable of deploying them and staying under the radar, they will likely remain in the wild for years to come.”