Rootkits and Advanced Persistent Threats

One of the most difficult to manage forms of malware circulating is the rootkit. Why certain types of rootkits can be so problematic is the greater difficulty in discovering their presence on a network and their removal. Rootkits come in different varieties and are often utilised in advanced persistent threat attacks. The rootkit allows malicious actors to maintain a backdoor to a network and to hide harmful commands directed at the vulnerable systems.

Rootkits are used to get administrative access to a system, giving the attacker the ability to change files and system settings and to hide its own presence or the presence of another variety of malware. These types of changes will mean you are essentially not in control of your own system. Your computer could also be incorporated into a botnet and its resources used as part of a distributed denial-of-service attack on somebody else.

Kernel-level rootkits are the most difficult to detect or remove. If the rootkit is running at the most privileged kernel level, it is as if it is a part of the OS, and the probability of anti-malware detecting or removing it is close to zero. Serious damage can be done to the hard drive and changes will be made to the BIOS or firmware settings.

Behavioural analysis could be especially useful in detecting malicious patterns of behaviour. As anti-virus programmes focus on known signature-based detection, i.e. the known signatures of previously caught malware, their use in detecting kernel-level rootkits is pointless. Behavioural analysis, on the other hand, can at least detect typical rootkit abnormalities, even if the rootkit itself cannot be removed. 

The damaging consequences of having a kernel-level rootkit installed are multiple. Security protection can be disabled to obfuscate other malicious software installed. Keylogging of all typed input and the theft of private data is a harmful consequence of this stealthy malware.

Kernel-level rootkits are the hardest to detect and eliminate. Experts often state that it is a lost cause trying to eliminate it from your system, especially for general users. Operating systems cannot be relied upon to scan for rootkits. A much better strategy is to do a memory dump analysis. Rootkit activity can be traced or detected using forensic analysis of memory.

Kaspersky security researchers have named a highly stealthy rootkit discovered in the wild Moriya. This facilitated covert observation of network traffic and delivering commands to host machines. It has remained hidden within networks for months. Various tools were also employed to facilitate lateral movement within targeted networks. There was no command and control set up, making this Advanced Persistent Threat infrastructure more difficult to detect. This gave the threat actors the ability to essentially control the networks they were sitting in. Data could be exfiltrated without any alarms being set off. The unidentified threat actors using Moriya have been given the moniker Tunnel snake. 

This APT actor has been targeting diplomatic offices in Asia and Africa. It has been designed to evade detection and maintain a backdoor into specific networks. Kaspersky does not have definitive knowledge of who is behind this advanced persistent threat, although it does claim there are strong indicators of Chinese origins, based on the types of tools being employed. 

The sophistication of these kinds of attacks and the care taken to remain covert are interesting indicators of a high-level threat actor. Moriya has been covertly operating on certain strategic networks for approximately two years.