Researchers at anti-malware vendor Kaspersky are documenting a new, previously unknown Windows rootkit being used in the toolkit of an APT actor currently targetings diplomatic entities in Asia and Africa.
Dubbed Moriya, the rootkit provides the threat actor with the ability to intercept network traffic and hide commands sent to the infected machines, thus allowing the attackers to stay hidden within the compromised networks for months.
The rootkit is part of the toolkit used by TunnelSnake, an unknown actor that deploys backdoors onto public servers belonging to the targeted entities. Multiple other tools that show cover overlaps with the rootkit were also found.
Kaspersky discovered the rootkit on the networks of regional diplomatic organizations in Asia and Africa and says that the oldest identified instances are dated October 2019. The attacker managed to maintain persistence for several months after initially deploying the malware, with less than 10 victims identified to date.
[RELATED: Google: APT Group Burned 11 Zero-Days in Spying Operation ]
As part of an attack on an additional victim in South Asia, various tools were deployed for lateral movement, including one previously associated with APT1. Kaspersky’s security researchers believe that the attackers had access to the network since 2018.
To remain under the radar, the Moriya rootkit inspects network packets in kernel mode, drops packets of interest before they could be observed, and does not initiate a server connection, but waits for incoming traffic instead. Persistence is achieved through the creation of a service named Network Services Manager.
“This tool is a passive backdoor which allows attackers to inspect all in ..
Support the originator by clicking the read the rest link below.
