The Chinese group of hackers exploits vulnerabilities in Windows operating systems. It installs a hitherto unknown Trojan horse on them, allowing subsequent remote access. The malware, known as MysterySnail, was discovered by Kaspersky security experts on various servers between late August and early September 2021.
In addition, they also detected consistent abuse in get elevated user privileges, which focuses on a Win32k driver security bug logged as CVE-2021-40449. Microsoft fixed this security flaw during the October patch on Tuesday.
Malware mystery
“In addition to finding a zero-day bug, we analyzed the functionality of the malware used and found that variants of this malicious code were detected in large-scale spy campaigns against IT companies, military / defense contractors and diplomatic entities.” Kaspersky experts Boris Larin and Costin Raiu said.
The similarity of the code and the reuse of the C2 infrastructure linked these attacks to a group called IronHusky and Chinese hackers, known as the 2012 attacks. IronHusky hacking group was first captured in 2017 during an investigation into a campaign targeting Russian and Mongolian governments, airlines and research institutes to gather intelligence on the Russo-Mongol military talks.
The MysterySnail Enhanced Deployment goal is focused on client and server versions of Windows, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022, that do not have the CVE-2021 bug fix installed. -40449.
Remote control by hackers
The MysterySnail Trojan is designed to recover and collect system information from infected machines and more. waiting for more commands from control server. In this way, hackers gain almost complete control over the computer in the event of a successful intrusion.
MysterySnail can perform various tasks on infected computers, from starting new processes and ending running processes to starting interactive shells and a proxy server with support for up to 50 simultaneous connections.
“The malware itself is not very sophisticated and has similar characteristics to many other remote computer control applications.” both researchers added. “However, it excels in some ways, with a relatively large number of implemented commands and other capabilities, such as on-board disk drive monitoring and the ability to act as a proxy server.” More technical details and indicators of compromise see the messagePosted by Kaspersky.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.