A China-linked threat group, dubbed IronHusky, has been exploiting a zero-day vulnerability to deploy the MysterySnail RAT. The attackers have discovered a zero-day exploit in Windows to elevate privileges for taking over servers.

Using MysterySnail on Windows

According to Kaspersky, the campaign impacts Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions including Windows 11 and Windows Server 2022.
  • IronHusky is exploiting zero-day to install a remote shell for performing malicious activities (e.g. deploying the previously unknown MysterySnail malware) to target servers.
  • MysterySnail gathers and steals system info before reaching out to its C2 server for more commands.
  • It performs multiple tasks such as spawning new processes, killing running ones, launching interactive shells, and running a proxy server with support for up to 50 parallel connections.
  • One of the analyzed samples is big in size, around 8.29 MB, as it is being compiled using the OpenSSL library. Besides, it uses two large functions for wasting processor clock cycles which further results in its bulky size.

The malware is not that sophisticated, however, it comes with a large number of implemented commands and extra capabilities, such as scanning for inserted disk drives and acting as a proxy.

About the zero-day

The exploited bug, tracked as CVE-2021-40449, was already patched by Microsoft in October Patch Tuesday. It is a use-after-free vulnerability, caused due to a function ResetDC being executed for a second time.

Connection to IronHusky

  • Kaspersky has linked MysterySnail RAT with the IronHusky APT group due to the reuse of C2 infrastructure first employed in 2012. Other campaigns used earlier variants of the malware.
  • Moreover, a direct code and functionality overlap has been discovered with the malware associated with IronHusky.

Ending Notes

IronHusky APT group is using a highly capable MysterySnail RAT to infect Windows users. This shows that such threat groups are becoming more resilient and smarter in hiding themselves. To stay protected, experts recommend organizations stay proactive and ready with adequate security measures.

Cyware Publisher

Publisher

Cyware