A rootkit of unprecedented stealth and evasion has been uncovered while investigating the espionage campaign Operation Tunnelsnake. While the campaign appears thus far to be focused on Asia and Africa, IOCs have been published and should be investigated.
What is the nature of the threat?
Operation Tunnelsnake is an ongoing cyber-espionage campaign being perpetrated by an advanced persistent threat (APT), thought to be Chinese-speaking and focused on prominent diplomatic targets in Asia.
At the heart of the activity is a newly discovered rootkit dubbed Moriya.
Rootkits as a tool are very powerful as they are deployed at system code level, usually as a driver file, kernel module, or something with very low-level access. The Moriya rootkit is able to operate in kernel mode and use this extremely low-level access to circumvent the network stack and evade common security monitoring methods focused on network activity.
Moriya is also notable in its unique method for operating as a passive backdoor. Rather than proactively polling a command-and-control (C2) server for instructions, which would likely allow it to be detected as malicious, it waits for external communication from the threat actor who sends specially crafted packets directly to the compromised host. These packets are then stripped of any malware signature, evading security solutions which scan at the network level.
Post-exploitation
A rich menu of exploits and tools has been found on targeted hosts in which Moriya has achieved kernel mode and persistence.
Some of the tools found:
- For network discovery: HTTP scanner and DCOM scanner
- For lateral movement: BOUNCER and a customized version of PSExec.
- For exfiltration: Earthworm, Termite, and TRAN.
What’s at risk?
Operation Tunnelsnake is a cyber-espionage campaign and is intended to quietly collected intelligence and information from its targets via a cleverly evasive backdoor. Critical or classified information could be exfiltrated without detection.
What can I do to protect against this vulnerability?
Detection of Moriya requires scanning and search for hashes of known IOCs on the host. An EDR or endpoint protection tool is recommended.
Network and log-oriented tools such as SIEMS will not be able to detect it unless they’ve been supplied with log sources from a tool that can detect the hashes.
novaSOC customer assets have already been thoroughly scanned for all known IOCs.
Published IOCs
Kaspersky has published a table of known IOC hashes. Links lead to the Kasperky site with hashes in various formats:
| 48307C22A930A2215F7601C78240A5EE | Moriya Agent |
| A2C4EE84E3A95C8731CA795F53F900D5 | Moriya 64-bit Driver |
| 5F0F1B0A033587DBCD955EDB1CDC24A4 | IISSpy |
| C1159FE3193E8B5206006B4C9AFBFE62 | ProcessKiller |
| DA627AFEE096CDE0B680D39BD5081C41 | ProcessKiller Driver – 32-bit |
| 07CF58ABD6CE92D96CFC5ABC5F6CBC9A | ProcessKiller Driver – 64-bit |
| 9A8F39EBCC580AA56D6DDAF5804EAE61 | pv.tmp (Custom PSExec Server) |
| 39C361ABB74F9A338EA42A083E6C7DF8 | pc.tmp (Custom PsExec Client) |
| DE3FB65461EE8A68A3C7D490CDAC296D | tran.tmp (Exfiltration tool) |
| EAC0E57A22936D4C777AA121F799FEE6 | client.exe (Utility embedded in tran.tmp) |
| D745174F5B0EB41D9F764B22A5ECD357 | rasauto.dll (Bouncer Loader) |
| 595E43CDF0EDCAA31525D7AAD87B7BE4 | 8.tmp (HTTP )Scanner |
| 9D75B50727A8E732DB0ADE7E270A7395 | ep.tmp DCOM Scanner |
| 3A4E1F3F7E1BAAB8B02F3A8EE20F98C9 | nw.tmp Bouncer Loader |
| 47F2D06713DAD556F535E523B777C682 | Termite |
| 45A5D9053BC90ED657FA90DE0B775E8F | Earthworm |
What if IOCs are found?
There is no non-invasive method to remove Moriya. If IOCs are detected, incident response procedures should be initiated immediately, which will involve taking the compromised host offline for forensics.
Resources
SecureList by Kaspersky
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/
ZJ
