There is an ongoing cyberespionage campaign dubbed 'TunnelSnake' that targets diplomatic entities in Southeast Asia and Africa, which has more than 9 high profile victims to date, mostly those located in South Asia.

According to Kaspersky researchers, the advanced persistent threat (APT) campaign, has been active since 2019, with the attackers deploying a previously unknown rootkit dubbed Moriya, a malware with nearly absolute power over the operating system, and enables the threat actors to intercept network traffic and conceal malicious commands.

The threat actors have the capabilities to evolve and tailor its toolset to target different environments and infiltrate high-profile organizations in South Asia and Africa with an evasive Windows rootkit.

How the Moriya Rootkit Infiltrates Networks of High-Profile Organizations?



Moriya first emerged in November 2020, when Kaspersky researchers discovered the stealthy implant in the networks of inter-governmental organizations operating in South Asia and Africa.



While the malicious activity associated with the operation dates back to 2019, with the rootkit infiltrating the victims networks for several months after the initial infection. The rootkit is particularly evasive thanks to the two traits of it been able to intercept and inspect network packets in transit from Windows kernel’s address space.

The Windows kernel’s address space is a memory region where the operating system’s kernel resides and typically, only privileged and trusted code are able to run within it. It allows the malware to drop unique malicious packets which are delivered before they are processed by the system’s network stack, which enabled the attackers to avoid detection by security solutions.

The rootkit was mostly deployed via a compromised web server within the targets’ organizations, for instance, there is one in which the attackers infected a server with the China Chopper webshell, a malicious code that allow remote control of the infected server.

How Organizations can be protected from such advanced persistent threats?



TunnelSnake campaign once again demonstrates the level of sophistication of threat actors who are now investing significant resources in designing evasive toolset to infiltrating networks of high-profile organizations without been detected.

Therefore, it is recommended that organizations should perform regular security audits of its IT infrastructure to reveal possible vulnerabilities in their systems. Also, they should ensure that anti-APT and EDR solutions are installed on the systems, as it will enable threat discovery and detection, for timely remediation before actual attacks.

Additionally, the SOC team within the organization should be provided with access to the latest threat intelligence and regularly up-skilled with relevant professional training.

TunnelSnake Cyberespionage targets diplomatic entities in Southeast Asia

There is an ongoing cyberespionage campaign dubbed 'TunnelSnake' that targets diplomatic entities in Southeast Asia and Africa, which has more than 9 high profile victims to date, mostly those located in South Asia.

According to Kaspersky researchers, the advanced persistent threat (APT) campaign, has been active since 2019, with the attackers deploying a previously unknown rootkit dubbed Moriya, a malware with nearly absolute power over the operating system, and enables the threat actors to intercept network traffic and conceal malicious commands.

The threat actors have the capabilities to evolve and tailor its toolset to target different environments and infiltrate high-profile organizations in South Asia and Africa with an evasive Windows rootkit.

How the Moriya Rootkit Infiltrates Networks of High-Profile Organizations?



Moriya first emerged in November 2020, when Kaspersky researchers discovered the stealthy implant in the networks of inter-governmental organizations operating in South Asia and Africa.



While the malicious activity associated with the operation dates back to 2019, with the rootkit infiltrating the victims networks for several months after the initial infection. The rootkit is particularly evasive thanks to the two traits of it been able to intercept and inspect network packets in transit from Windows kernel’s address space.

The Windows kernel’s address space is a memory region where the operating system’s kernel resides and typically, only privileged and trusted code are able to run within it. It allows the malware to drop unique malicious packets which are delivered before they are processed by the system’s network stack, which enabled the attackers to avoid detection by security solutions.

The rootkit was mostly deployed via a compromised web server within the targets’ organizations, for instance, there is one in which the attackers infected a server with the China Chopper webshell, a malicious code that allow remote control of the infected server.

How Organizations can be protected from such advanced persistent threats?



TunnelSnake campaign once again demonstrates the level of sophistication of threat actors who are now investing significant resources in designing evasive toolset to infiltrating networks of high-profile organizations without been detected.

Therefore, it is recommended that organizations should perform regular security audits of its IT infrastructure to reveal possible vulnerabilities in their systems. Also, they should ensure that anti-APT and EDR solutions are installed on the systems, as it will enable threat discovery and detection, for timely remediation before actual attacks.

Additionally, the SOC team within the organization should be provided with access to the latest threat intelligence and regularly up-skilled with relevant professional training.

No comments