Moriya Rootkit Infiltrates Windows Systems

A newly discovered threat has been working steadily at installing backdoors on Windows systems, security researchers recently reported. The rootkit is dubbed Moriya and is exploited by a persistent threat actor of still-unknown origins. Researchers believe the hackers behind Moriya are from a "Chinese-speaking" demographic.

Whoever the party behind Moriya may be, they have been using the malware since around 2018, but have been so good as staying hidden, it has been discovered just now. The campaign in which the malware was last used in large-scale attacks is called "Tunnel Snake" by researchers.

Moriya works primarily by installing passive backdoors on its victim systems. Those are usually public facing servers. Once the backdoor has been installed, the operators of Moriya use their command and control servers to further work the infected systems and networks.

Moriya has been used in attacks against African and Asian institutions. In some instances, researchers state, it was not used on its own but had an accompanying kit of additional malicious tools that allowed the attackers to gain access to the entire network.

This approach is called "lateral movement" and implies gaining increasingly more access to various branches of a network, usually in a search to exfiltrate sensitive or valuable data.

The Moriya rootkit also allows the actors who operate it to monitor both incoming and outgoing traffic on a compromised system. When packets designated for the malware are discovered in the data stream that the machine is receiving, the malware reacts.

As explained by the security researchers, this allows for very stealthy operation and even allows the hackers to feed shell commands into the victim system, then read their output values.

Moriya has been so successful in evading detection for a long time because this packet inspection abuses a Windows driver in kernel mode. This effectively means the malware managed to circumvent security software that the system might be running.

While not all instances where Moriya was found included the expanded malicious tool set, Moriya also works in tandem with an array of malicious applications that are used by and associated with Chinese hacking groups.

The only piece of good news in the story is that Moriya has been used in relatively few attacks so far. All of those attacks appear to have been very narrowly focused as well, with no current information of victims outside of Africa and Asia and a total of less than a dozen victims in those two territories.

By Zaib
May 7, 2021
Computer Security
English
May 7, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

Chinese APT May be Behind the Newly Discovered Moriya Rootkit

The Moriya Rootkit is a newly identified threat that, however, might have been working for a long time before it was finally discovered. Rootkits like this one are designed to plant themselves deep into the operating... Read more

May 7, 2021
Password Security

Windows 10 Security Questions Are Not so Secure Afterall

Whenever you set up a new account anywhere, you can create a safety net that can help you recover your password in case you forget it. Any system that requires you to use a password should come with such a safety... Read more

January 10, 2019
How To

Windows Defender Not Working

Windows Defender is a core Windows feature, which is meant to protect your device from harmful software. By default, the app scans newly downloaded files for malicious properties, and it also warns you whenever you... Read more

April 8, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.