New
#1
Does Defender or other security tools find it? How ironic a Russian firm has published a Chinese hack. Would they publish a Russian hack?
Unknown threat actors have been employing a Windows rootkit for years to stealthily install backdoors on vulnerable machines.
In a campaign dubbed Operation TunnelSnake by Kaspersky researchers, the team said on Thursday that an advanced persistent threat (APT) group, origin unknown but suspected of being Chinese-speaking, has used the rootkit to quietly take control of networks belonging to organizations.
Rootkits are packages of tools that are designed to stay under the radar by hiding themselves in deep levels of system code. Rootkits can range from malware designed to attack the kernel to firmware, or memory, and will often operate with high levels of privilege.
According to Kaspersky, the newly-discovered rootkit, named Moriya, is used to deploy passive backdoors on public-facing servers. The backdoors are then used to establish a connection -- quietly -- with a command-and-control (C2) server controlled by the threat actors for malicious purposes.
The backdoor allows attackers to monitor all traffic, incoming and outgoing, that passes through an infected machine and filter out packets sent for the malware.
Read more:
Does Defender or other security tools find it? How ironic a Russian firm has published a Chinese hack. Would they publish a Russian hack?
I think this one is a bit above the tolls we run on Windows. We need to hope the public facing server folks are on top of this one.
Kaspersky is known for making free rootkit removal tools. Since they discovered this rootkit, I would assume they will come out with one, if they haven't already.
When I saw the name of this rootkit, the first thing that came to mind was this song. Different spelling but same sound.