The MisterySnail RAT Targets IT Companies and Defense Contractors
The MysterySnail RAT is a new piece of malware targeting Windows systems. It has been active since August 2021, and its operators are exploiting zero-day vulnerabilities in Microsoft Windows versions. The latest vulnerability is CVE-2021-40449, but criminals also are relying on older exploits that some systems might not be protected against – such as CVE-2016-3309.
After the discovery of the MysterySnail RAT, researchers were able to identify the same payload in older attacks that targeted IT companies, diplomatic entities, and contractors involved in the military and defense sectors. Allegedly, the recent usage of the MysterySnail RAT might be attributed to the Chinese-based Advanced Persistent Threat (APT) actor known as Iron Husky.
The MisterySnail RAT Uses Randomly Generated Code for Obfuscation
Often, malware developers aim to make their payloads as light as possible. This reduces the attention they attract, and also could enable them to fly under the radar of specific security tools. The MysterySnail RAT is quite chunky in terms of size – its executable is over 8MB. However, the attackers are using the extra storage space to store a randomly generated code, which aims to obfuscate the true, threatening nature of the executable files. This might be the reason why MysterySnail RAT was identified and dissected properly just now.
When the MysterySnail RAT infects a machine, it will gather and send information to the attacker's server. This data includes the computer's name and user name, the exact Windows version the system uses, and its local IP address. The criminals are able to send remote commands to operate the implant, and tell it to perform the tasks it supports:
- Starting and closing processes.
- Get hard drive data, partitions, folders, and files information.
- Upload and execute files.
- Modify the file system.
- Put the implant to sleep for a set time.
- Open a proxy connection.
The discovery of the MysterySnail RAT and its infrastructure has helped malware researchers learn more about Iron Husky's current operations.