Kaspersky exposes MysterySnail zero-day exploit in Windows

Elevation-of-privilege flaw could enable Chinese hackers to mount widespread spying campaign

Chinese hackers have attacked IT companies and defense contractors using a zero-day elevation-of-privilege exploit, according to security researchers.

Researchers at Kaspersky said an APT group exploited a zero-day vulnerability in the Windows Win32k kernel driver to develop a new RAT trojan. This exploit had many debug strings from an older, officially known exploit for the CVE-2016-3309 vulnerability. The malware, dubbed MysterySnail, was found on several Microsoft servers between August and September 2021.

The privilege escalation exploit used to develop the MysterySnail RAT targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022. Kaspersky reports that zero-day exploit also targets Windows client versions, however, it was only discovered on Windows Server systems.

Researchers said the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during the execution of those callbacks. The bug was triggered when the function ResetDC is executed a second time for the same handle during the execution of its own callback, said researchers.

The uncovered code similarity and the reuse of the Command and Control (C&C) infrastructure led researchers to connect these attacks to the IronHusky cyber espionage group and Chinese-sourced APT activity dating back to 2012.

Related Resource

Global security insights report 2021

Extended enterprise under threat

Whitepaper front coverFree download

Kaspersky first spotted the Chinese hacking group IronHusky by in 2017 as part of an investigation into a campaign targeting Russian and Mongolian government entities, airlines, and research centers. A year later, Kaspersky's investigators discovered that Chinese hackers began exploiting the CVE-2017-11882 vulnerability, a memory corruption vulnerability in Microsoft Office, to spread RATs commonly used by Chinese groups, including PlugX and PoisonIvy.

By analyzing the malware payload used with the zero-day exploit in MysterySnail, Kaspersky researchers found hacker used variants of this malware in widespread espionage campaigns against IT companies, military, defense contractors, and diplomatic entities. The malware collects and steals system information from compromised computers before contacting the command-and-control server for further commands.

The RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more. Researchers said the malware itself is not very sophisticated and has functionality like many other remote shells.

“But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy,” said Kaspersky researchers Boris Larin and Costin Raiu.

The vulnerability identified as CVE-2021-40449 was fixed by Microsoft as part of this month's Patch Tuesday.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

UK's first government cyber strategy aims to bolster public sector defences
cyber security

UK's first government cyber strategy aims to bolster public sector defences

25 Jan 2022
Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022