IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Kaspersky exposes MysterySnail zero-day exploit in Windows

Elevation-of-privilege flaw could enable Chinese hackers to mount widespread spying campaign

Chinese hackers have attacked IT companies and defense contractors using a zero-day elevation-of-privilege exploit, according to security researchers.

Researchers at Kaspersky said an APT group exploited a zero-day vulnerability in the Windows Win32k kernel driver to develop a new RAT trojan. This exploit had many debug strings from an older, officially known exploit for the CVE-2016-3309 vulnerability. The malware, dubbed MysterySnail, was found on several Microsoft servers between August and September 2021.

The privilege escalation exploit used to develop the MysterySnail RAT targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022. Kaspersky reports that zero-day exploit also targets Windows client versions, however, it was only discovered on Windows Server systems.

Researchers said the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during the execution of those callbacks. The bug was triggered when the function ResetDC is executed a second time for the same handle during the execution of its own callback, said researchers.

The uncovered code similarity and the reuse of the Command and Control (C&C) infrastructure led researchers to connect these attacks to the IronHusky cyber espionage group and Chinese-sourced APT activity dating back to 2012.

Related Resource

Global security insights report 2021

Extended enterprise under threat

Whitepaper front coverFree download

Kaspersky first spotted the Chinese hacking group IronHusky by in 2017 as part of an investigation into a campaign targeting Russian and Mongolian government entities, airlines, and research centers. A year later, Kaspersky's investigators discovered that Chinese hackers began exploiting the CVE-2017-11882 vulnerability, a memory corruption vulnerability in Microsoft Office, to spread RATs commonly used by Chinese groups, including PlugX and PoisonIvy.

By analyzing the malware payload used with the zero-day exploit in MysterySnail, Kaspersky researchers found hacker used variants of this malware in widespread espionage campaigns against IT companies, military, defense contractors, and diplomatic entities. The malware collects and steals system information from compromised computers before contacting the command-and-control server for further commands.

The RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more. Researchers said the malware itself is not very sophisticated and has functionality like many other remote shells.

“But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy,” said Kaspersky researchers Boris Larin and Costin Raiu.

The vulnerability identified as CVE-2021-40449 was fixed by Microsoft as part of this month's Patch Tuesday.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Best security systems for business
cyber security

Best security systems for business

4 Oct 2022
Frontpoint review
cyber security

Frontpoint review

4 Oct 2022
Vivint review
cyber security

Vivint review

4 Oct 2022
Verisure review
cyber security

Verisure review

4 Oct 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022