We’ll admit, upon hearing about this threat we were immediately reminded of Butch and his gang of Tunnel Snakes in Fallout 4.
That gang however is present in more than one place and wherever they appear in the Fallout universe, they strive to control people or the Vault those people live in.
The name of an advanced persistent threat (APT) campaign discovered by Kaspersky then is apt as Operation TunnelSnake seeks to control the organisation it infects with its rootkit.
“A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled,” writes senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), Mark Lechtik.
The GReAT team discovered the rootkit on the networks of regional diplomatic organisations in Asia and Africa. Some instances of the rootkit date back to October 2019 while others were recently infected in May 2020,
“A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software,” explains Lechtik.
Moriya is able to both intercept and inspect network traffic in transit from the Windows kernel’s address space. This allows the malware to drop malicious packets before they are processed by the operating system which means that Moriya can evade security solutions.
Worse still, Moriya never contacted a command and control server for commands. Instead it received commands in a cleverly disguised packets which the malware could then identify as it was viewing network traffic.
With that process in place, Kaspersky noted a number of tools used by Chinese-speaking threat actors being used alongside Moriya.
“While we were not able to attribute the campaign to a specific actor, both targets and tools used in the APT have a connection to known Chinese-speaking groups, thereby pointing to the actor likely also being Chinese-speaking. We also found an older version of Moriya used in a stand-alone attack in 2018, which points at the actor being active since at least 2018. The targets’ profile and leveraged toolset suggest that the actor’s purpose in this campaign is espionage, though we can only partially attest to this with lack of visibility into any actual siphoned data,” explains senior security researcher at GReAT, Giampaolo Dedola.
Moriya is smart or rather, its creators are smart and this should stand as testament to the fervour with which cybercriminals create their malware.
While Kaspersky’s GReAT was able to discover Operation TunnelSnake, it did take almost three years. This is not a slight against Kaspersky mind you, threat hunting is a tough job and there are many more folks trying to create threats than there are those trying to find them.
With that in mind, you might want to check out Kaspersky’s YARA Training course if you’re keen on hunting threats. You read more about that here.
As for operation TunnelSnake and Moriya, perform regular security audits and make sure you’re using a trusted security solution for your network and end-points.
[Image – CC 0 Pixabay]