Security experts from Kaspersky uncovered a sophisticated cyber-espionage campaign that leverages a zero-day bug in Windows (CVE-2021-40449) to attack IT firms, military contractors, and diplomatic institutions. The campaign was attributed to a China-backed APT group tracked as IronHusky. The hacker collective exploited a recently-discovered CVE-2021-40449 to infect systems with a previously unknown remote access Trojan dubbed MysterySnail.
The new Windows zero-day (CVE-2021-40449) is an elevation of privilege flaw that resides in the NtGdiResetDC function of Win32k driver. According to the inquiry by Kaspersky, the security hole occurs due to misconfiguration in the user-mode callback settings that allows attackers to leverage the corrupt Proactive Data Container (PDC) object to launch a call to an arbitrary kernel function and then read and write kernel memory.
CVE-2021-40449 flaw affects the majority of Windows client and server versions, starting from older Windows 7 and Windows Server 2008 and up to the latest Windows 11 and Windows Server 2008. Although the flaw is present in both client and server installations, only Windows Server systems were targeted in the wild.
Upon the disclosure, the vulnerability was promptly reported to Microsoft and patched by the vendor during its October Patch Tuesday Release.
The CVE-2021-40449 privilege escalation exploit was actively leveraged in the wild to deliver custom remote access Trojan, tracked as MysterySnail by Kaspersky researchers. The new RAT is a remote shell-type malware able to dump system data from the compromised hosts and perform a set of basic malicious commands received from attackers’ command-and-control (C&C) server. Particularly, the Trojan can read and delete files, kill arbitrary processes, create and upload new files, spawn new processes, launch interactive shells, act as a proxy server, and more.
According to experts, MysterySnail functionality is typical for remote shells and is not really advanced. Yet, the new Trojan stands out among its “siblings” due to the large list of commands and additional capabilities like the ability to act as a proxy.
Research by Kaspersky links the new MysterySnail with a China-affiliated IronHusky APT. While analyzing the latest cyber-espionage campaign, security experts identified that the malicious operation relied on the same C&C infrastructure leveraged by IronHusky in 2012. Additionally, the MystertSnail decomposition revealed a code overlap with other malicious samples attributed to the group.
The first traces of IronHusky activity were identified in 2017 during the investigation of the malicious campaign aimed at Russian and Mongolian govt and military assets. In 2018 Kaspersky researchers detected IronHusky adversaries exploiting Microsoft Office memory corruption flaw (CVE-2017-11882) to deliver PlugX and PoisonIvy, the RATs frequently used by Chinese-speaking hacking collectives.
To prevent possible compromise by the MysterySnail RAT malware, you can download a set of dedicated Sigma rules released by our keen Threat Bounty developers.
This rule by Sittikorn Sangrattanapitak helps to detect possible MysterySnail infections via CVE-2021-40449 Windows zero-day. The detection has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, Qualys.
The rule is mapped to MITRE ATT&CK methodology addressing the Command and Control tactics. Particularly, the detection addresses the Data Encoding (t1132) technique as well as the Web Protocols sub-technique (t1071.001) of the Application Layer Protocol (t1071) technique.
This rule by Osman Demir also detects MysterySnail infections performed with the recently-discovered Windows zero-day. The detection has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Sentinel One, Microsoft Defender ATP FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix.
The rule is mapped to MITRE ATT&CK methodology addressing the Execution tactics. Particularly, the detection addresses the Windows Command Shell sub-technique (t1059.003) of the Command and Scripting Interpreter (t1059) technique as well as the Rundll32 sub-technique (t1218.011) of the Signed Binary Proxy Execution (t1218) technique.
Register to the SOC Prime’s Detection as Code Platform for to reach the most up-to-date Sigma-based threat detection content continuously updated by 300+ researchers and delivered to 20+ SIEM and XDR platforms. Eager to participate in our crowdsourcing initiative for individual cyber defenders and develop your own Sigma rules? Join our Threat Bounty Program!