Kaspersky exposes MysterySnail zero-day exploit in Windows

Chinese hackers have attacked IT companies and defense contractors using a zero-day elevation-of-privilege exploit, according to security researchers.

Researchers at Kaspersky said an APT group exploited a zero-day vulnerability in the Windows Win32k kernel driver to develop a new RAT trojan. This exploit had many debug strings from an older, officially known exploit for the CVE-2016-3309 vulnerability. The malware, dubbed MysterySnail, was found on several Microsoft servers between August and September 2021.

The privilege escalation exploit used to develop the MysterySnail RAT targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022. Kaspersky reports that zero-day exploit also targets Windows client versions, however, it was only discovered on Windows Server systems.

Researchers said the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during the execution of those callbacks. The bug was triggered when the function ResetDC is executed a second time for the same handle during the execution of its own callback, said researchers.

The uncovered code similarity and the reuse of the Command and Control (C&C) infrastructure led researchers to connect these attacks to the IronHusky cyber espionage group and Chinese-sourced APT activity dating back to 2012.

Kaspersky first spotted the Chinese hacking group IronHusky by in 2017 as part of an investigation into a campaign targeting Russian and Mongolian government entities, airlines, and research centers. A year later, Kaspersky's investigators discovered that Chinese hackers began exploiting the CVE-2017-11882 vulnerability, a memory corruption vulnerability in Microsoft Office, to spread RATs commonly used by Chinese groups, including PlugX and PoisonIvy.

By analyzing the malware payload used with the zero-day exploit in MysterySnail, Kaspersky researchers found hacker used variants of this malware in widespread espionage campaigns against IT companies, military, defense contractors, and diplomatic entities. The malware collects and steals system information from compromised computers before contacting the command-and-control server for further commands.

The RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more. Researchers said the malware itself is not very sophisticated and has functionality like many other remote shells.

“But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy,” said Kaspersky researchers Boris Larin and Costin Raiu.

The vulnerability identified as CVE-2021-40449 was fixed by Microsoft as part of this month's Patch Tuesday.