Moriya Rootkit Infiltrates Windows Systems
A newly discovered threat has been working steadily at installing backdoors on Windows systems, security researchers recently reported. The rootkit is dubbed Moriya and is exploited by a persistent threat actor of still-unknown origins. Researchers believe the hackers behind Moriya are from a "Chinese-speaking" demographic.
Whoever the party behind Moriya may be, they have been using the malware since around 2018, but have been so good as staying hidden, it has been discovered just now. The campaign in which the malware was last used in large-scale attacks is called "Tunnel Snake" by researchers.
Moriya works primarily by installing passive backdoors on its victim systems. Those are usually public facing servers. Once the backdoor has been installed, the operators of Moriya use their command and control servers to further work the infected systems and networks.
Moriya has been used in attacks against African and Asian institutions. In some instances, researchers state, it was not used on its own but had an accompanying kit of additional malicious tools that allowed the attackers to gain access to the entire network.
This approach is called "lateral movement" and implies gaining increasingly more access to various branches of a network, usually in a search to exfiltrate sensitive or valuable data.
The Moriya rootkit also allows the actors who operate it to monitor both incoming and outgoing traffic on a compromised system. When packets designated for the malware are discovered in the data stream that the machine is receiving, the malware reacts.
As explained by the security researchers, this allows for very stealthy operation and even allows the hackers to feed shell commands into the victim system, then read their output values.
Moriya has been so successful in evading detection for a long time because this packet inspection abuses a Windows driver in kernel mode. This effectively means the malware managed to circumvent security software that the system might be running.
While not all instances where Moriya was found included the expanded malicious tool set, Moriya also works in tandem with an array of malicious applications that are used by and associated with Chinese hacking groups.
The only piece of good news in the story is that Moriya has been used in relatively few attacks so far. All of those attacks appear to have been very narrowly focused as well, with no current information of victims outside of Africa and Asia and a total of less than a dozen victims in those two territories.