Kaspersky exposes MysterySnail zero-day exploit in Windows

Elevation-of-privilege flaw could enable Chinese hackers to mount widespread spying campaign

Chinese hackers have attacked IT companies and defense contractors using a zero-day elevation-of-privilege exploit, according to security researchers.

Researchers at Kaspersky said an APT group exploited a zero-day vulnerability in the Windows Win32k kernel driver to develop a new RAT trojan. This exploit had many debug strings from an older, officially known exploit for the CVE-2016-3309 vulnerability. The malware, dubbed MysterySnail, was found on several Microsoft servers between August and September 2021.

The privilege escalation exploit used to develop the MysterySnail RAT targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022. Kaspersky reports that zero-day exploit also targets Windows client versions, however, it was only discovered on Windows Server systems.

Researchers said the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during the execution of those callbacks. The bug was triggered when the function ResetDC is executed a second time for the same handle during the execution of its own callback, said researchers.

The uncovered code similarity and the reuse of the Command and Control (C&C) infrastructure led researchers to connect these attacks to the IronHusky cyber espionage group and Chinese-sourced APT activity dating back to 2012.

Related Resource

Global security insights report 2021

Extended enterprise under threat

Whitepaper front coverDownload now

Kaspersky first spotted the Chinese hacking group IronHusky by in 2017 as part of an investigation into a campaign targeting Russian and Mongolian government entities, airlines, and research centers. A year later, Kaspersky's investigators discovered that Chinese hackers began exploiting the CVE-2017-11882 vulnerability, a memory corruption vulnerability in Microsoft Office, to spread RATs commonly used by Chinese groups, including PlugX and PoisonIvy.

By analyzing the malware payload used with the zero-day exploit in MysterySnail, Kaspersky researchers found hacker used variants of this malware in widespread espionage campaigns against IT companies, military, defense contractors, and diplomatic entities. The malware collects and steals system information from compromised computers before contacting the command-and-control server for further commands.

The RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more. Researchers said the malware itself is not very sophisticated and has functionality like many other remote shells.

“But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy,” said Kaspersky researchers Boris Larin and Costin Raiu.

The vulnerability identified as CVE-2021-40449 was fixed by Microsoft as part of this month's Patch Tuesday.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

A quarter of all malicious JavaScript is obfuscated
hacking

A quarter of all malicious JavaScript is obfuscated

20 Oct 2021
Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021
Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021