Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) espionage campaign this summer. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data.
Microsoft patched the bug (CVE-2021-40449) as part of its October Patch Tuesday updates, issued this week.
According to a Tuesday analysis from Kaspersky researchers, the issue lurks in the Win32k kernel driver. It’s a use-after-free vulnerability, and “the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” they explained. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.”
This ultimately results in a dangling memory pointer that points to a previously destroyed Proactive Data Container (PDC) object, according to Kaspersky. That means that a malformed PDC object can be used to perform a call to an arbitrary kernel function, and from there allows attackers to read and write kernel memory.
“It’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules,” researchers said.
MysterySnail RAT in Action
As mentioned, the cybercriminals were using the exploit as part of a wider effort to install a remote shell on target servers, i.e., the MysterySnail malware, which was unknown prior to this campaign.
Kaspersky researchers said that the sample that they analyzed clocked in at a sizable 8.29MB, which immediately caught their notice.
“One of the reasons for the file size is that it’s statically compiled with the OpenSSL library and contains unused code and data belonging to that library,” they explained. “But the main reason for its size is the presence of two very large functions that do nothing but waste processor clock cycles. These functions also use randomly generated strings that are also present in a binary.”
These are likely anti-analysis functions, they added, noting that the code also contains other redundant logics and “the presence of a relatively large number of exported functions while the real work is performed by only one of them.”
The function responsible for executing the actual activities of the malware is called “GetInfo,” according to the analysis.
The malware decodes the command-and-control (C2) address and attempts to connect to it. It also requests tunneling through a proxy server in case it fails to connect to the C2 directly.
From there, the malware gathers basic information about the victim machine: computer name, current OEM code-page/default identifier, Windows product name, local IP address, logged-in user name and campaign name.
“One interesting fact is that ‘campaign name’ by default is set to Windows,” according to the researchers. “This name gets overwritten, but it might indicate there are versions of the same RAT compiled for other platforms.”
Then it awaits encrypted commands from the C2. It supports 20 of them. These are:
- Launch interactive cmd.exe shell. Before launch cmd.exe is copied to the temp folder with a different name
- Spawn new process
- Spawn new process (console)
- Get existing disk drives and their type. This function also works in the background, checking for new drives
- Create (upload) new file. If a file exists, append data to it
- Get directory list
- Kill arbitrary process
- Delete file
- Read file
- Set sleep time (in milliseconds)
- Shutdown network and exit
- Kill interactive shell
- Terminate file-reading operation
- No operation
- Open proxied connection to provided host. Up to 50 simultaneous connections are supported.
- Send data to proxied connection
- Close all proxy connections
- Close requested proxy connection
“The malware itself is not very sophisticated and has functionality similar to many other remote shells,” researchers noted. “But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.”
Link to IronHusky
During Kaspersky’s analysis of the MysterySnail RAT, they linked the campaign with the IronHusky group APT activity thanks to the reuse of C2 infrastructure used in other attacks, dating back to 2012.
They also discovered other campaigns from this year that used earlier variants of the malware, which also helped tie it to the China-based APT known as IronHusky.
“We were able to find direct code and functionality overlap with the malware attributed to the IronHusky actor,” researchers said. “We were also able to discover the re-use of C2 addresses used in attacks by the Chinese-speaking APT as far back as 2012. This discovery links IronHusky to some of the older known activities.”
IronHusky was first detected in summer 2017, and it has a history of using exploits to deliver RATs to targets. In 2017, for instance, Kaspersky discovered the group exploiting CVE-2017-11882 to spread the common PlugX and PoisonIvy RATs.
“It is very focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, which seems to be an unusual target,” the firm noted in its report on the activity. “This actor crafts campaigns for upcoming events of interest. In this case, they prepared and launched one right before a meeting with the International Monetary Fund and the Mongolian government at the end of January 2018. At the same time, they stopped their previous operations targeting Russian military contractors, which speaks volumes about the group’s limitations.”
The latest attacks have been targeted but extensive. Kaspersky researchers found variants of MysterySnail used in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities, according to the writeup.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.