Cybercriminals are always trying to evolve with new sophisticated tools which have increased the level of stealth. One of such operations is called TunnelSnake. This is an ongoing APT campaign which makes use of passive backdoor and some other tools to attack the potential victims.
This operation has been active since 2018 and was run by unknown threat actors. They targeted regional diplomatic entities in Asia and Africa.
- TunnelSnake has been seen to deploy a new backdoor and a rootkit dubbed Moriya on public facing servers. This allows them to spy on the victim and collect information about the network traffic and also send commands to the compromised hosts.
- The operators also have the user mode version of this malware and network discovery tools.
- They used different tools for various functions. For lateral movement, they used tools likeBouncer, China Chopper, etc. For the exfiltration process, they used Termite, Earthworm, and TRAN.
Some additional insights into this-
- IISSpy is used to attack IIS servers that are vulnerable to establish a backdoor in the underlying websites of organisations.
- Vulnerability CVE-2017-7269 is exploited by IISSpy for the attacker to acquire a foothold initially.
- Researchers suspect involvement of Chinese threat actors since some of the open-source malware had connections with Chinese speaking actors.
The daily reports about malware campaigns like Operation TunnelSnake have indicated the fact that another malware is coming into presence in the world of cyber espionage. The use of advanced and sophisticated tools which provide high stealth helped this malware to remain under cover for a long time. It is important to upgrade the security of the organization to be able to remain safe from such attacks.