Cybercriminals evolve and tailor their toolset to maintain a considerable stealth level and infiltrate high-profile target networks. One such operation, dubbed TunnelSnake, is an ongoing APT campaign that uses passive backdoor and some additional tools to attack potential victims.

What is Operation TunnelSnake?

The unknown actor behind Operation TunnelSnake, active since at least 2018, was spotted targeting regional diplomatic entities in Asia and Africa.
  • TunnelSnake operators have been deploying a new passive backdoor and a Windows rootkit dubbed Moriya on public-facing servers within the victim organizations to covertly spy on their victims' network traffic and send commands to compromised hosts.
  • In addition, the operators have used a user-mode version (IISSpy) of the malware and network discovery tools (HTTP scanner and DCOM Scanner).
  • For lateral movement, they used tools such as Bouncer, China Chopper, and Custom PSExec, and for exfiltration purposes, Termite, Earthworm, and TRAN were used. 
  • Some of these tools have significant code overlaps with Moriya.

Additional insights

Kaspersky researchers found an older user-mode version of the Moriya rootkit, dubbed IISSpy, that was found in a standalone attack in 2018. That attack is unrelated to any of the attacks in the current operation.
  • IISSpy is used to target vulnerable IIS servers for establishing a backdoor in organizations’ underlying websites.
  • IISSpy exploits vulnerability CVE-2017-7269 to let the attackers gain an initial foothold on a server before running the malware.
  • Some open-source malware used in the campaign has a connection with Chinese-speaking threat actors as well, thereby compelling the researchers to suspect their involvement in this operation.
  • Kaspersky telemetry has found links of the developers of Moriya to a malware named ProcessKiller, that eliminates execution of processes, and shut down and block initiation of AV processes from kernel space.

Conclusion

The reports about Operation TunnelSnake indicate that yet another APT group (allegedly Chinese) is making its way into the international cyberespionage game. The use of sophisticated tools and considerable stealth levels allowed this group to hide its operations for such a long time, which further strengthens the importance of dynamic security systems for real-time identification and protection from such threats.

Cyware Publisher

Publisher

Cyware