HomesecurityChinese hackers use Windows zero-day to attack IT companies

Chinese hackers use Windows zero-day to attack IT companies

Chinese hackers carried out attacks on IT companies and contractors in the field of defense, using one elevation of privilege exploit. Essentially, the Chinese hackers exploited a zero-day vulnerability in Windows Win32k kernel driver for the development of a new RAT trojan. The malware was named MysterySnail and was found by its security investigators Kaspersky in many Microsoft Servers between August and September 2021.

See also: Apple zero-day bug: Update your iPhone and iPad immediately!

Chinese IT hackers companies MysterySnail
Chinese hackers use Windows zero-day to attack IT companies

The vulnerability identified as CVE-2021-40449, corrected by Microsoft as part of this month's Patch Tuesday.

"In addition to identifying the zero-day vulnerability, we analyzed it malware payload used in conjunction with zero-day exploit and we found that malware variants were detected in extensive espionage campaigns against IT companies, military / defense contractors and diplomatic entities", Said Kaspersky researchers Boris Larin and Costin Raiu.

"The code similarity and reuse of the C2 infrastructure we discovered allowed us to link these attacks to the IronHusky, a Chinese APT team".

See also: Apache: Zero-day vulnerability enables remote code execution

Chinese hackers IronHusky were first spotted by Kaspersky in 2017 as part of an investigation into a targeted Russian and Mongolian government entities, airlines and research centers.

A year later, Kaspersky investigators discovered that Chinese hackers began exploiting the vulnerability CVE-2017-11882, a Microsoft Office memory corruption vulnerability to spread RAT commonly used by Chinese groups (including PlugX and PoisonIvy).

Windows zero-day Chinese hackers
Chinese hackers use Windows zero-day to attack IT companies

Privilege escalation zero-day is used for RAT development

The privilege escalation exploit used to develop the MysterySnail RAT, targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022.

Kaspersky reports that zero-day exploit also targets Windows client versions, however, it was only discovered on Windows Server systems.

MysterySnail RAT, used by Chinese hackers to target IT companies and defense companies, is designed to to collect and steal system information from compromised computers, before contacting the command-and-control server for further instructions.

See also: Chrome hotfix fixes two zero-day vulnerabilities

RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more.

However, the researchers say that the malware is not very sophisticated and its function is similar to that of other RATs.

More technical details are available at report published by Kaspersky.

Source: Bleeping Computer

Digital fortress
Pursue Your Dreams & Live!