A Chinese-speaking hacker gang exploited a zero-day flaw in the Windows Win32k kernel driver to launch a previously unknown remote access trojan (RAT), MysterySnail.
Kaspersky security experts discovered MysterySnail malware on numerous Microsoft servers between August – September 2021.
They also discovered an elevation of privilege attack that targets the Win32k driver security vulnerability, CVE-2021-40449, which Microsoft fixed on Tuesday.
Kaspersky researchers investigated the malware payload used with the zero-day exploit. They detected variations of the malware that were used in broad espionage efforts targeting IT businesses, military/defense contractors, and diplomatic institutions.
Because of code similarities and re-use of C2 infrastructure identified, these attacks could be linked to the actor IronHusky and Chinese-speaking APT activity from 2012.
Kaspersky discovered the Chinese-speaking IronHusky APT in 2017 while looking into a campaign targeting Russian and Mongolian government institutions, aviation firms, and research institutes to gather intelligence on Russian-Mongolian military discussions.
One year later, Kaspersky scientists found them using the CVE-2017-11882 Microsoft Office memory corruption vulnerability to distribute RATs such as PlugX and PoisonIvy, often used by Chinese-speaking organizations.
The privilege escalation vulnerability used to distribute the MysterySnail RAT in these attacks is unpatched against CVE-2021-40449. It targets Windows client and server versions ranging from Windows 7 and Windows Server 2008 to the most recent versions, including Windows 11 and Windows Server 2022.
The MysterySnail RAT is designed to gather and steal system information from infected systems before sending orders to its command-and-control server.
On infected devices, MysterySnail may execute a variety of activities, including generating new processes and terminating existing ones, as well as launching interactive shells and a proxy server with an aptitude for up to 50 simultaneous connections.
More technical information and signs of compromise may be found in Kaspersky’s study.