Pierluigi Paganini October 13, 2021

A Chinese-speaking hacking group exploited a Windows zero-day vulnerability in a wave of attacks on defense and IT businesses.

A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a new remote access trojan (RAT), tracked as MysterySnail.

The attacks were conducted between late August and early September 2021 and aimed at companies in the defense industry and IT firms. Kaspersky researchers found reported multiple attacks on Microsoft servers leveraging a zero-day exploit.

“In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day.” reported the analysis published by Kaspersky.

The vulnerability is a use-after-free issue in the Win32k kernel driver, tracked as CVE-2021-40449, that was addressed by Microsoft with the release of October Patch Tuesday security updates.

The researchers analyzed the RAT employed in the attack and found code similarity and re-use of C2 infrastructure that allowed them to link the operation to a Chinese-speaking APT group known as IronHusky.

The IronHusky APT has been active at least since 2017 when the group was spotted targeting Russian and Mongolian government entities, aviation companies, and research institutes.

The elevation of privilege exploit used in the latest attacks, supports the following Windows products:

• Microsoft Windows Vista
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1
• Microsoft Windows Server 2008
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2
• Microsoft Windows 10 (build 14393)
• Microsoft Windows Server 2016 (build 14393)
• Microsoft Windows 10 (build 17763)
• Microsoft Windows Server 2019 (build 17763)

The MysterySnail RAT analyzed by the researcher was uploaded to VT on August 10, 2021, experts noticed that it is very big (8.29MB) due to the presence of two very large functions that only waste processor clock cycles. 

The RAT is not very sophisticated, however it implements 20 commands, including killing processes, managing files, spawning processes, operating proxy connections. 

“The malware itself is not very sophisticated and has functionality similar to many other remote shells. But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.” concludes Kaspersky.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]