MysterySnail RAT abused by a China-Linked Threat Group to exploit Windows’ Zero-Day

November 5, 2021
MysterySnail RAT China Threat Group exploit Windows Zero Day Vulnerability

IronHusky, a Chinese-affiliated threat group, has been abusing the zero-day flaw of windows using the MysterySnail Rat. The threat actors have uncovered a zero-day existing inside the Windows’ system, expanding the privileges for taking over servers and garnering ransom-worthy data. 

The espionage campaign majorly affects the Windows client and server version, from Windows 7, Windows version 2008 up to the latest versions, including Windows 11 and Windows Server 2022. 

 

How does this China-backed threat group use the MysterySnail?

The China-backed group, known as IronHusky, is abusing the zero-day flaw of the Windows system to install a remotely performing shell that enables them to orchestrate a malicious activity. An example of this exploitation is the MysterySnail malware to target a massive number of servers. 

MysterySnail malware collects and heists the systems information before reaching out to its C2 server, waiting for more instructions. 

The malware also conducts several tasks such as birthing new processes, deploying interactive shells, killing running operations, and running a faulty server with support for up to 50 identical connections. 

The researchers observed this MysterySnail malware, and it turns out that the sample is significant in size that almost reaches 9 MB. It is compiled using a programming library that secures communication called the OpenSSL library for the threat actors. The malware also uses a minimum of two large functions for wasting processor clock cycles which causes it to bulk up in terms of memory size. 

However, this MysterySnail malware is unsophisticated. Inside, it packs many implemented commands and numerous capabilities, such as scanning for launched disk drives and acting as a malicious proxy. 

 

How did the researchers link MysterySnail RAT to the IronHusky threat group? 

The researcher was able to link the MysterySnail RAT with the IronHusky threat group because of the usage of C2, first used in 2012, that overlaps the same method utilised by the threat actors. 

Furthermore, a linked code and functionality has been identified within the malware affiliated with the IronHusky. 

 

Conclusion 

The IronHusky APT group is maximising their threat output using the formidable MysterySnail RAT to infiltrate Windows users. This shows that numerous threat actors are evolving into more potent and intelligent cybercriminal gangs, also experts in avoiding security measures. To stay safe, we advise everyone to remain vigilant and prepare any adequate safety security protocols. 

About the author

Leave a Reply