A recently discovered malware operation aptly named TunnelSnake is hitting regional diplomatic bureaus in Asia and Africa using malicious code that gives the attacker nearly unlimited, under the radar control over a machine's operating system, endpoint security software provider Kaspersky said in an advisory.
The threat has been active for more than two years with the attackers deploying a previously unknown rootkit called Moriya. Rootkits, an amalgam of malicious programs and/or software tools, are leveraged in advanced persistent threat (APT) attacks. The tool is a passive backdoor that enables attackers to intercept network traffic and cloak malicious commands issued to the infected systems. Most Windows rootkits are now leveraged in high profile APT attacks, including TunnelSnake, Kaspersky said.
Although the security specialist could not tie the series of attacks directly to Chinese operatives, the targets and tools are linked to known Chinese-speaking groups, Kaspersky said. As with an earlier version of the malware used in a 2018 attack thought to be propelled by espionage, the campaign Kaspersky discovered could be similarly fueled, researchers said.
“While we were not able to attribute the campaign to a specific actor, both targets and tools used in the APT have a connection to known Chinese-speaking groups, thereby pointing to the actor likely also being Chinese-speaking,” said Giampaolo Dedola, a Kaspersky senior security researcher.
According to Kaspersky’s researchers, Moriya is hard for security defenders to pin down for two reasons:
- It intercepts and inspects network packets in transit from the Windows kernel’s address space where typically only privileged and trusted code runs. Malware droppers can drop the malicious packets delivered to it before they are processed by the operating system’s network stack.
- The rootkit did not reach out to any server to request commands but instead received those in specially marked packets, blended in with the bulk of network traffic that the malware inspected and avoided the need to maintain a Command and Control infrastructure.
Malware campaigns where the threat actors invest in their toolkits, refine their tactics and take special steps to remain unnoticed for as long as possible are becoming difficult to defend against, said Mark Lechtik, a Kaspersky senior security researcher. “We see more and more covert campaigns such as TunnelSnake,” he said. “At the same time, as seen by our discovery, highly covert tools can also be spotted and stopped. This is an ongoing race between security vendors and threat actors, and to win it, we as a cybersecurity community need to continue to work together.”