A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a new remote access trojan (RAT), tracked as MysterySnail.
The attacks were conducted between late August and early September 2021 and aimed at companies in the defense industry and IT firms. Kaspersky researchers found reported multiple attacks on Microsoft servers leveraging a zero-day exploit.
“In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day.” reported the analysis published by Kaspersky.
The researchers analyzed the RAT employed in the attack and found code similarity and re-use of C2 infrastructure that allowed them to link the operation to a Chinese-speaking APT group known as IronHusky.
The IronHusky APT has been active at least since 2017 when the group was spotted targeting Russian and Mongolian government entities, aviation companies, and research institutes.
The elevation of privilege exploit used in the latest attacks, supports the following Windows products:
The MysterySnail RAT analyzed by the researcher was uploaded to VT on August 10, 2021, experts noticed that it is very big (8.29MB) due to the presence of two very large functions that only waste processor clock cycles.
The RAT is not very sophisticated, however it implements 20 commands, including killing processes, managing files, spawning processes, operating proxy connections.
“The malware itself is not very sophisticated and has functionality similar to many other remote shells. But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.” concludes Kaspersky.
(SecurityAffairs – hacking, Windows)