Chinese hackers carried out attacks on IT companies and contractors in the field of defense, using one elevation of privilege exploit. Essentially, the Chinese hackers exploited a zero-day vulnerability in Windows Win32k kernel driver for the development of a new RAT trojan. The malware was named MysterySnail and was found by its security investigators Kaspersky in many Microsoft Servers between August and September 2021.
The vulnerability identified as CVE-2021-40449, corrected by Microsoft as part of this month's Patch Tuesday.
"In addition to identifying the zero-day vulnerability, we analyzed it malware payload used in conjunction with zero-day exploit and we found that malware variants were detected in extensive espionage campaigns against IT companies, military / defense contractors and diplomatic entities", Said Kaspersky researchers Boris Larin and Costin Raiu.
"The code similarity and reuse of the C2 infrastructure we discovered allowed us to link these attacks to the IronHusky, a Chinese APT team".
Chinese hackers IronHusky were first spotted by Kaspersky in 2017 as part of an investigation into a targeted Russian and Mongolian government entities, airlines and research centers.
A year later, Kaspersky investigators discovered that Chinese hackers began exploiting the vulnerability CVE-2017-11882, a Microsoft Office memory corruption vulnerability to spread RAT commonly used by Chinese groups (including PlugX and PoisonIvy).
Privilege escalation zero-day is used for RAT development
The privilege escalation exploit used to develop the MysterySnail RAT, targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022.
Kaspersky reports that zero-day exploit also targets Windows client versions, however, it was only discovered on Windows Server systems.
MysterySnail RAT, used by Chinese hackers to target IT companies and defense companies, is designed to to collect and steal system information from compromised computers, before contacting the command-and-control server for further instructions.
RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more.
However, the researchers say that the malware is not very sophisticated and its function is similar to that of other RATs.
More technical details are available at report published by Kaspersky.
Source: Bleeping Computer