Rootkits are malicious tools designed to evade detection by burying deep into the operating system and used by attackers to take full control of infected systems avoiding detection and it is there that a new unknown threat actor used a new stealthy rootkit known now. like Moriya, to backdoor Windows systems targeting what appears to be an ongoing spy campaign.
In a campaign dubbed Operation TunnelSnake by Kaspersky researchers, the team said Thursday that a group of advanced persistent threats, of unknown origin but suspected of being Chinese-speaking, have used the rootkit to silently take control of the networks they belong to.
According to Kaspersky, the newly discovered rootkit, called Moriya, is used to implement passive back doors on public servers. The back doors are then used to silently establish a connection to a command and control (C2) server controlled by malicious threat actors. The backdoor allows attackers to monitor all inbound and outbound traffic passing through an infected machine and filter packets sent by malware.
Moriya allowed TunnelSnake operators to capture and analyze incoming network traffic “from the Windows kernel address space, a region of memory where the operating system kernel resides and where only privileged and trusted code runs normally.” . The way the backdoor received commands in the form of custom packets hidden in the victims’ network traffic, without the need to contact a command-and-control server, added to the stealth of the operation shown by the victim care.
The threat actor used backdoor systems belonging to Asian and African diplomatic entities and other high-profile organizations to gain control of their networks and maintain persistence for months without being detected. Additionally, the attackers deployed additional tools (including China Chopper, BOUNCER, Termite, and Earthworm) during the post-exploit phase on the compromised systems. This allowed them to move laterally on the network after scanning and finding new vulnerable hosts on the victims’ networks.
See also:
Rootkit – What you should know about it?
Cold Boot Attack – A risk to our information
[…] check:Moriya is a new rootkit that uses back doorsAvaddon, the ransomware that uses DDoS […]