Attackers used exploit to deploy a new remote shell Trojan called MysterySnail.

microsoft, windows, cyber security

Credit: Dreamstime

One of the vulnerabilities patched by Microsoft has been exploited by a Chinese cyber-espionage group since at least August. The attack campaigns targeted IT companies, defence contractors and diplomatic entities.

According to researchers from Kaspersky Lab, the malware deployed with the exploit and its command-and-control infrastructure point to a connection with a known Chinese APT group tracked as IronHusky that has been operating since 2017, but also with other China-based APT activity going back to 2012.

Privilege escalation vulnerability in Windows GDI driver

The group was observed leveraging a previously unknown vulnerability in Win32k.sys, a system driver that's part of the Windows Graphics Device Interface (GDI), which has been a common source of vulnerabilities in the past.

The flaw, tracked as CVE-2021-40449, affects all supported Windows versions and those that are no longer supported and allows code to be executed with system privileges.

Since this is a privilege escalation vulnerability, it is only used to gain complete control of the targeted systems but is not the original method of entry. The exploit used in the attacks borrows code from a public exploit for another Wink32k vulnerability patched in 2016 (CVE-2016-3309). Despite the exploit being written to support all versions of Windows since Vista, the Kaspersky researchers only saw it being used on Windows servers.

"In the discovered exploit attackers are able to achieve the desired state of memory with the use of GDI palette objects and use a single call to a kernel function to build a primitive for reading and writing kernel memory," the researchers said in their report.

"This step is easily accomplished, because the exploit process is running with Medium IL and therefore it’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules. In our opinion, it would be preferable if the Medium IL processes had limited access to such functions as NtQuerySystemInformation or EnumDeviceDrivers."

MysterySnail RAT

The hackers used the privilege escalation exploit to deploy a remote shell Trojan (RAT) that Kaspersky dubbed MysterySnail. Attackers can use this malware program to execute Windows shell commands, gather information about the disks and folders, delete, read and upload files, kill processes and more.

A sample of the malware was first uploaded to the VirusTotal database on August 10 and stands out through its unusually large size of 8.29MB. This is because the malware bundles a stand-alone version of the OpenSSL library, which it uses for encrypted communications, and two very large functions that only waste processor clock cycles and are probably meant to evade emulation and antivirus detection.

Another interesting feature is that the malware attempts to tunnel its communications through a proxy server if connecting to the command-and-control server directly is blocked. It does this by enumerating the values under the “SoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer” registry key.

"The analysis of the MysterySnail RAT helped us discover campaigns using other variants of the analysed malware as well as study and document the code changes made to this tool over a six-month period," the researchers said.

"With the help of Kaspersky Threat Attribution Engine (KTAE) and the discovery of early variants of MysterySnail RAT, we were able to find direct code and functionality overlap with the malware attributed to the IronHusky actor."

IronHusky has been running cyber-espionage campaigns since 2017 and its previous target selection suggested a geopolitical agenda. For example, the group targeted Mongolian government entities, which are not a common target, before a meeting with the International Monetary Fund in 2018.

Before that, the group was seen targeting Russian military contractors. At the time, it was using off-the-shelf Trojans like PlugX and PoisonIvy that were typical of Chinese-speaking APT activity.

Internet Explorer Channel Network



How shape-shifting threat actors complicate attack attribution

Researchers explain how they identified -- or failed to identify -- the threat actors behind three high-profile incidents and why attribution is so difficult.

Read more: How shape-shifting threat actors complicate attack attribution

‘Bug bounty ‘set up to improve 5G commercial products

Cyber security is now critical in the telecoms industry as the deployment of 5G will lead to an increase in the potential attack surfaces.

Read more: ‘Bug bounty ‘set up to improve 5G commercial products

Key ASEAN markets top global ransomware ranking

Research covers the 18 months from the beginning of 2020.

Read more: Key ASEAN markets top global ransomware ranking

Twitch breach highlights dangers of choosing ease of access over security

Attackers essentially broke into the Twitch house and cleaned out everything. Following least-privilege access principles and encrypted datasets will help others avoid that scenario.

Read more: Twitch breach highlights dangers of choosing ease of access over security

October is high season for cyber attacks as attackers exploit natural disasters

A study by InfoSec Institute indicates that there has been an exponential increase in cyber attacks globally in the last five years, and a major part of it happened in the month of October each year as attackers apparently exploit natural disasters.

Read more: October is high season for cyber attacks as attackers exploit natural disasters

7 deadly sins of Salesforce security

Salesforce systems hold a lot of sensitive customer data. Businesses must not fall victim to one of these common sins, errors, and blindspots.

Read more: 7 deadly sins of Salesforce security

Why device identity is the overlooked insider threat

Device / machine identity, especially in association with robotic process automation, can be a conduit for intentional and unintentional insider breaches.

Read more: Why device identity is the overlooked insider threat

Assessing cyber security in 2021... top stats, trends and facts

Survey data from the past year paints a picture for what the threat landscape will potentially look like in the coming months.

Read more: Assessing cyber security in 2021... top stats, trends and facts

Amazon, Google and Microsoft to attend White House conference, here's why

From Bitdefender to Sophos, how CSOs choose an endpoint protection suite

Cyber criminals bypass 2FA and OTP with robocalling and Telegram bots

Comparing AWS, Microsoft and Google Cloud: Cyber security in the public cloud

Yes, the FBI held back REvil ransomware keys

Cybereason builds out Indonesian channel with Sysware

7 unexpected ransomware costs

APT actors exploit flaw in ManageEngine single sign-on solution