Moriya Rootkit

Moriya Rootkit Description

A new especially stealthy rootkit dubbed Moriya by infosec researchers has been observed as part of an active espionage campaign. The operation is being tracked as TunnelSnake and appears to have started back in 2018 and still being active. The campaign appears to be limited in scope only targeting a handful of specific high-value entities. So far less than 10 victims infected with Moriya Rootkit have been detected. The compromised networks belonged to Asian and African diplomatic entities and other high-profile organizations. The apparent goal of the hackers is to gain control of the internal networks of their victims, achieve persistence, and remain hidden for a prolonged time while gathering data. After the initial Moriya Rootkit infection, several other malware threats are used in post-exploitation activities. These threats include China Chopper, Termite, Bouncer and Earthworm. While the exact APT or hacker group responsible for the attack hasn't been determined, certain characteristics of the operation point towards it being a Chinese-speaking threat actor. 

A Rootkit with Boosted Stealth Capabilities

The Moriya Rootkit follows the trend among highly specialized threat actors of investing additional efforts and resources in making their threatening tools more sophisticated, better suited to their particular needs, and equipped with additional anti-detection techniques. Rootkits are generally harder to uncover, as they bury themselves deep into the operating system while giving the threat actor near full control over the compromised machine. The Moriya Rootkit places itself in the Windows kernel's address space, a region of the system's memory where only privileged and a trusted code is expected to run. Once established, the malware threat allows the TunnelSnake Operators to intercept and analyze incoming traffic to the infected system. 

To further masks its presence, the Moriya Rootkit doesn't rely on communication with a remote Command-and-Control server to receive commands. Instead, the threat scans for custom-crafted packets merged into the usual traffic of the victim's internal network. Yet another sign that the operators behind Moriya Rootkit and the TunnelSnake operations put heavy emphasis on evading detection and maintaining access to the chosen targets for as long as possible.