Rare new Windows rootkit spotted in Chinese APT attacks

Ever since Microsoft bolstered security features with the release of Windows 10, rootkits have become a rarity on the malware scene, as developing and then successfully installing one without getting detected or blocked has become significantly more difficult than in previous years.

But in a report published today, security firm Kaspersky said it discovered a rare new Windows rootkit that has remained undetected since at least 2018 and has been deployed in some highly targeted attacks.

Rootkit was linked to suspected Chinese APT activity

Kaspersky said the rootkit, which it named Moriya, was developed by a mysterious threat actor that bears all the signs of being a Chinese cyber-espionage group (also known as an APT).

"Unfortunately, we are not able to attribute the attack to any particular known actor, but based on the TTPs used throughout the campaign, we suppose it is a Chinese-speaking one," the Kaspersky GReAT team said today.

"We base this on the fact that the targeted entities were attacked in the past by Chinese-speaking actors, and are generally located in countries that are usually targeted by such an actor profile. Moreover, the tools leveraged by the attackers, such as China Chopper, BOUNCER, Termite and Earthworm, are an additional indicator supporting our hypothesis as they have previously been used in campaigns attributed to well-known Chinese-speaking groups," the company added.

Kaspersky said that based on its telemetry, the attacks were highly targeted, and the group delivered the Moriya rootkit to less than ten victims across the world.

"The most prominent victims are two large regional diplomatic organizations in South-East Asia and Africa, while all the others were victims in South Asia," it added.

Moriya used a clever design to avoid detection

The Russian security firm said the threat actor remained undetected because of Moriya's design, which besides borrowing tried-and-tested techniques used by the rootkits of other APTs (such as Turla, Lamberts, and Equation Group), also used its own trickery.

This included interposing itself between the Windows TCP/IP network stack and incoming network traffic, and then intercepting data packets before they reached the operating system and any locally installed antivirus.

Moriya would parse these incoming network data to look for a so-called "magic value" in TCP packets which would activate the rootkit's functions and instruct the malware to carry out various operations.

As to how Moriya was installed inside organizations, Kaspersky said that the entry point was usually outdated IIS web servers. One confirmed entry point, according to the security firm, was a server that was not patched for a vulnerability tracked as CVE-2017-7269, which the attackers abused to install a web shell on the victim's server and then use it to deploy Moriya.

Despite known incidents of Moriya deployments being so rare, Kaspersky has published indicators of compromise to allow companies to scan servers and workstations for Moriya artifacts.