Operation TunnelSnake: Moriya Rootkit Detection

May 12, 2021 · 4 min read

Security researchers from Kaspersky Lab have uncovered a previously unknown Windows rootkit stealthily leveraged by a China-affiliated APT actor for years to install backdoors on the infected instances. Dubbed Moriya, the rootkit provides attackers with the ability to capture network traffic and covertly execute commands on the compromised devices while flying under the radar of security products. Researchers believe that Moriya complements the malicious toolset of the long-lasting Operation TunnelSnake aimed at cyber-espionage against regional diplomatic assets across Asia and Africa. 

Moriya Rootkit

According to the detailed inquiry from Kaspersky, Moriya is a sophisticated malicious tool able to place passive backdoors on the public-facing servers of the organization. These backdoors further establish a covert connection with the attackers’ command-and-control (C&C) server to monitor all the traffic going through a compromised instance and filter packets designated for nefarious purposes. Notably, Moriya does not set up a server connection but waits for the incoming traffic instead. Furthermore, the rootkit inspects traffic in kernel mode with the help of a Windows driver and drops the required packets stealthily. This approach allows attackers to stay unnoticed inside the compromised network for months obtaining a covert channel to execute shell commands. 

The rootkit structure consists of a kernel-mode driver and a user-mode agent responsible for its deployment and control. To achieve the first task, the agent leverages a common technique that abuses the VirtualBox driver to bypass the Driver Signature Enforcement mechanism and load the unsigned Moriya’s driver to kernel memory space. Also, this component is responsible for filtering out commands from the C&C server by generating a unique value, which is added to every malicious packet passed through the covert channel. Additionally, Moriya is capable of establishing a reverse shell session using an overt channel. 

The kernel-mode driver component takes advantage of the Windows Filtering Platform (WFP) to power up the hidden communications. Particularly, WFP creates a kernel space API that enables the malicious driver code to filter packets of interest and manage their processing by the Windows TCP/IP stack. The driver fetches the Moriya-related traffic using a filtering engine and blocks the packets to hide them from inspection. Simultaneously, unrelated traffic is processed as usual to avoid any security alerts from the system.

Operation TunnelSnake

Moriya rootkit powers a longlisting cyber-espionage campaign, dubbed Operation TunnelSnake by Kaspersky. Although the rootkit was identified on compromised networks during 2019-2020, experts believe that threat actors might have been active since 2018. The campaign is highly targeted, having only ten prominent diplomatic entities across Africa and Asia on the list of targets.

According to the researchers, an unknown APT group exploited vulnerable web servers to get initial access and place Moriya alongside other post-exploitation tools on the network. The toolset includes China Chopper web shell, BOUNCER, TRAN, Termite, Earthworm, and other sophisticated malware samples predominantly used for network discovery, lateral movement, and payload deployment. Although most of the tools are custom-made, researchers discovered some open source pieces of malware previously used by China-speaking APT actors. This fact points to the potential origin of attackers, however, the exact attribution is currently unknown. 

It worths noting that Moriya might be a successor of an older IISSpy rootkit observed during 2018 in attacks unrelated to TunnelSnake. Furthermore, Kaspersky experts tie Moriya to the ProcessKiller malware typically leveraged to bypass anti-virus protection.

Moriya Rootkit Detection

To detect possible malicious activity inside the organizational network, you can download a community Sigma rule released by our prolific Threat Bounty developer Osman Demir: https://tdm.socprime.com/tdm/info/ihN3d0opmHAn/#sigma

The rule has translations to the following languages:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye


Tactics: Persistence, Defense Evasion

Techniques: New Service (T1050), Rootkit (T1014)

Get a free subscription to Threat Detection Marketplace and boost your cyber-defense capabilities with our industry-first SOC content library. The library aggregates 100K+ queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models, and Incident Response Playbooks mapped to CVE and MITRE ATT&CK® frameworks. Want to participate in threat hunting initiatives and create your own Sigma rules? Join our Threat Bounty Program for a safer future!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts