By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Cyber-Espionage Campaign Operation Tunnelsnake Utilizes Highly Evasive Rootkit “Moriya”

A rootkit of unprecedented stealth and evasion has been uncovered while investigating the espionage campaign Operation Tunnelsnake. While the campaign appears thus far to be focused on Asia and Africa, IOCs have been published and should be investigated.

What is the nature of the threat?

Operation Tunnelsnake is an ongoing cyber-espionage campaign being perpetrated by an advanced persistent threat (APT), thought to be Chinese-speaking and focused on prominent diplomatic targets in Asia. 

At the heart of the activity is a newly discovered rootkit dubbed Moriya.

Rootkits as a tool are very powerful as they are deployed at system code level, usually as a driver file, kernel module, or something with very low-level access. The Moriya rootkit is able to operate in kernel mode and use this extremely low-level access to circumvent the network stack and evade common security monitoring methods focused on network activity. 

Moriya is also notable in its unique method for operating as a passive backdoor. Rather than proactively polling a command-and-control (C2) server for instructions, which would likely allow it to be detected as malicious, it waits for external communication from the threat actor who sends specially crafted packets directly to the compromised host. These packets are then stripped of any malware signature, evading security solutions which scan at the network level.


A rich menu of exploits and tools has been found on targeted hosts in which Moriya has achieved kernel mode and persistence.

Some of the tools found:

  • For network discovery: HTTP scanner and DCOM scanner
  • For lateral movement: BOUNCER and a customized version of PSExec.  
  • For exfiltration: Earthworm,  Termite, and TRAN.

What’s at risk?

Operation Tunnelsnake is a cyber-espionage campaign and is intended to quietly collected intelligence and information from its targets via a cleverly evasive backdoor. Critical or classified information could be exfiltrated without detection.

What can I do to protect against this vulnerability?

Detection of Moriya requires scanning and search for hashes of known IOCs on the host. An EDR or endpoint protection tool is recommended. 

Network and log-oriented tools such as SIEMS will not be able to detect it unless they’ve been supplied with log sources from a tool that can detect the hashes.

novaSOC customer assets have already been thoroughly scanned for all known IOCs.

Published IOCs

Kaspersky has published a table of known IOC hashes. Links lead to the Kasperky site with hashes in various formats:

48307C22A930A2215F7601C78240A5EEMoriya Agent
A2C4EE84E3A95C8731CA795F53F900D5Moriya 64-bit Driver
DA627AFEE096CDE0B680D39BD5081C41ProcessKiller Driver – 32-bit
07CF58ABD6CE92D96CFC5ABC5F6CBC9AProcessKiller Driver – 64-bit
9A8F39EBCC580AA56D6DDAF5804EAE61pv.tmp (Custom PSExec Server)
39C361ABB74F9A338EA42A083E6C7DF8pc.tmp (Custom PsExec Client)
DE3FB65461EE8A68A3C7D490CDAC296Dtran.tmp (Exfiltration tool)
EAC0E57A22936D4C777AA121F799FEE6client.exe (Utility embedded in tran.tmp)
D745174F5B0EB41D9F764B22A5ECD357rasauto.dll (Bouncer Loader)
595E43CDF0EDCAA31525D7AAD87B7BE48.tmp (HTTP )Scanner
9D75B50727A8E732DB0ADE7E270A7395ep.tmp DCOM Scanner
3A4E1F3F7E1BAAB8B02F3A8EE20F98C9nw.tmp Bouncer Loader

What if IOCs are found?

There is no non-invasive method to remove Moriya. If IOCs are detected, incident response procedures should be initiated immediately, which will involve taking the compromised host offline for forensics. 


SecureList by Kaspersky


Previous Post

Dell issues update to fix multiple critical privilege escalation vulnerabilities

Next Post

Briefing on the Colonial Pipeline Attack

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.