New Moriya rootkit backdoors targets Windows systems

Ransomware is now a national security risk. An unknown threat actor used a new stealthy rootkit to backdoor targeted Windows systems what looks like an ongoing espionage campaign dubbed TunnelSnake going back to at least 2018. A Kaspersky researchers found that an advanced persistent threat (APT) group, origin unknown but suspected of being Chinese-speaking, has used the rootkit to quietly take control of networks belonging to organizations.

Rootkits are packages of tools that are designed to stay under the radar by hiding themselves in deep levels of system code. Rootkits can range from malware designed to attack the kernel to firmware, or memory, and will often operate with high levels of privilege.

According to Kaspersky, the newly-discovered rootkit, named Moriya, is used to deploy passive backdoors on public-facing servers. The backdoors are then used to establish a connection -- quietly -- with a command-and-control (C2) server controlled by the threat actors for malicious purposes.

Moriya allowed TunnelSnake operators to capture and analyze incoming network traffic "from the Windows kernel's address space, a memory region where the operating system's kernel resides and where typically only privileged and trusted code runs."

The way the backdoor received commands in the form of custom-crafted packets hidden within the victims' network traffic, without needing to reach out to a command-and-control server, further added to the operation's stealth showing the threat actor's focus on evading detection.

"We see more and more covert campaigns such as TunnelSnake, where actors take additional steps to remain under the radar for as long as possible, and invest in their toolsets, making them more tailored, complex and harder to detect," Mark Lechtik, a senior security researcher at Kaspersky's Global Research and Analysis Team, said.