A Chinese-language hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a previously unknown Remote Access Trojan (RAT).
The malware, known as MysterySnail, was found by Kaspersky security researchers on several Microsoft servers between late August and early September 2021.
They also found an elevation of privilege exploit targeting the Win32k driver security vulnerability tracked as CVE-2021-40449 and corrected by Microsoft today, as part of this month’s Patch Tuesday.
“In addition to finding zero-day in nature, we analyzed the payload of the malware used with the zero-day exploit, and found that variants of the malware were detected in widespread spy campaigns against IT companies, military / defense contractors and diplomatic entities, “Kaspersky researchers Boris Larin and Costin Raiu said.
“The code similarity and reuse of C2 infrastructure that we discovered allowed us to link these attacks to the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012.”
The IronHusky APT was first spotted by Kaspersky in 2017 as it investigated a campaign targeting Russian and Mongolian government entities, airlines and research institutes with the ultimate goal of gathering intelligence on the negotiations. Russian-Mongolian military.
A year later, Kaspersky researchers observed them exploiting Microsoft Office memory corruption vulnerability CVE-2017-11882 to distribute RATs commonly used by Chinese language groups, including PlugX and PoisonIvy.
Zero-day privilege escalation used to deploy RATs
The elevation of privilege exploit used to deploy the MysterySnail RAT deployed in these attacks targets client and server versions of Windows, Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022, not patched against CVE-2021-40449.
While the zero-day exploit that Kaspersky spotted in the wild also supports targeting of Windows client versions, it was only discovered on Windows Server systems.
The MysterySnail RAT is designed to collect and exfiltrate system information from compromised hosts before contacting its command and control server for further commands.
MysterySnail can perform a variety of tasks on infected machines, ranging from generating new processes and deleting existing ones, to launching interactive shells and launching a proxy server that supports up to 50 connections. simultaneous.
“The malware itself is not very sophisticated and has functionality similar to those of many other remote shells,” the two researchers added.
“But it still stands out in one way or another, with a relatively large number of controls implemented and additional capabilities such as monitoring inserted disk drives and the ability to act as a proxy.”
Further technical details and indicators of compromise can be found in the report released by Kaspersky today.
- GhostEmperor hackers use new Windows 10 rootkit in attacks
- Hackers Use ShellClient Stealth Malware on Aerospace and Telecom Companies
- Iranian-linked hackers target U.S. defense technology companies
- Russian state hackers use new TinyTurla malware as secondary backdoor
- Chinese Hackers Target UIDAI, Times Group Says