Microsoft Patches Zero-Day Abused in MysterySnail RAT Attacks

In yesterday's Patch Tuesday Microsoft patched 71 vulnerabilities and a handful of zero-day bugs in its products. One of the vulnerabilities patched was a privilege escalation bug that was reportedly already used in the wild to spread a malicious tool called MysterySnail.

The MysterySnail malware has been identified as a remote access trojan or RAT. According to security researchers, MysterySnail has been used in cyberespionage attacks targeted at western entities. Among the targets are IT firms and defense contractors.

Earlier in 2021, MysterySnail was used in a series of attacks against those targets. Researchers believe the attacks originated from a Chinese-speaking advanced persistent threat actor, likely the one codenamed IronHusky.

The attacks were targeting then-unpatched Microsoft Windows server systems. The vulnerability abused in the attacks has been flagged as CVE-2021-40449 and is described as a Win32k Elevation of Privilege.

The reason why researchers believe the attacks were the work of the IronHusky APT is that there were chunks of very similar code in the payload of the MysterySnail remote access trojan. The malware also made use of command and control server infrastructure that is ordinarily used by IronHusky, researchers noticed.

While the MysterySnail RAT is not particularly sophisticated by most standards, it does include command capabilities that allow it to shut down system processes, handle files on the victim system, open new proxy connections and create new processes according to the needs of the operators.

The vulnerability involved is also described as a use-after-free bug that resides in the Win32k kernel. Use-after-free issues are related to improper usage and freeing of memory in program operation.

October 13, 2021